new file mode 100644
@@ -0,0 +1,52 @@
+From 141c9b6015fc56cd05db3a853f08d03fcbd9b0f4 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 12 Mar 2026 09:48:57 +0100
+Subject: [PATCH] cert-session: fix multi-entry OCSP revocation bypass
+
+In check_ocsp_response(), the code first searched
+for the SingleResponse that matches the certificate being validated.
+But later, the status was retrieved from entry 0 unconditionally,
+rather than from the matched resp_indx.
+As a result, if entry 0 corresponded to a different certificate and was good,
+while the matched entry for the peer certificate is revoked,
+the revocation check could've mistakenly accept the certificate.
+
+Reported-by: Oleh Konko (1seal) <security@1seal.org>
+Reported-by: Joshua Rogers of AISLE Research Team <joshua@joshua.hu>
+Fixes: #1801
+Fixes: #1812
+Fixes: CVE-2026-3832
+Fixes: GNUTLS-SA-2026-04-29-12
+CVSS: 3.7 Low CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
+Introduced-in: ae404fe8488dee424876b5963c00d7e041672415 3.8.9
+
+CVE: CVE-2026-3832
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/731861b9de8dccaf7d3b0c1446833051e48670c2]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit 731861b9de8dccaf7d3b0c1446833051e48670c2)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ lib/cert-session.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/cert-session.c b/lib/cert-session.c
+index 963f797ee..f48c7a1fb 100644
+--- a/lib/cert-session.c
++++ b/lib/cert-session.c
+@@ -343,9 +343,9 @@ static int check_ocsp_response(gnutls_session_t session, gnutls_x509_crt_t cert,
+ goto cleanup;
+ }
+
+- ret = gnutls_ocsp_resp_get_single(resp, 0, NULL, NULL, NULL, NULL,
+- &cert_status, &vtime, &ntime, &rtime,
+- NULL);
++ ret = gnutls_ocsp_resp_get_single(resp, resp_indx, NULL, NULL, NULL,
++ NULL, &cert_status, &vtime, &ntime,
++ &rtime, NULL);
+ if (ret < 0) {
+ _gnutls_audit_log(
+ session,
+--
+2.51.0
+
new file mode 100644
@@ -0,0 +1,114 @@
+From ac357f76abeaf59429bc15b8764ad01920df0ef1 Mon Sep 17 00:00:00 2001
+From: Alexander Sosedkin <asosedkin@redhat.com>
+Date: Thu, 12 Mar 2026 15:25:24 +0100
+Subject: [PATCH] tests/ocsp-tests/ocsp-must-staple-connection: test
+ CVE-2026-3832
+
+CVE: CVE-2026-3832
+Upstream-Status: Backport [https://gitlab.com/gnutls/gnutls/-/commit/d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e]
+
+Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>
+(cherry picked from commit d52d5f4f383e8c5d8e9a03334f2421ff35d37d2e)
+Signed-off-by: Sudhir Dumbhare <sudumbha@cisco.com>
+---
+ .../ocsp-tests/ocsp-must-staple-connection.sh | 70 +++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/tests/ocsp-tests/ocsp-must-staple-connection.sh b/tests/ocsp-tests/ocsp-must-staple-connection.sh
+index 94d41ce24..5e100b9d9 100755
+--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
++++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
+@@ -85,6 +85,7 @@ OCSP_RESPONSE_FILE="$testdir/ms-resp.tmp"
+ OCSP_REQ_FILE="$testdir/ms-req.tmp"
+ INDEXFILE="$testdir/ocsp_index.txt"
+ ATTRFILE="${INDEXFILE}.attr"
++SERVER_CERT_BAD_FILE="$testdir/ms-cert-bad.pem.tmp"
+
+ stop_servers ()
+ {
+@@ -118,6 +119,20 @@ ${CERTTOOL} \
+ --load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_FILE}" 2>/dev/null
+
++echo "=== Generating bad server certificate ==="
++
++rm -f "$TEMPLATE_FILE"
++cp "${srcdir}/ocsp-tests/certs/server_bad.template" "$TEMPLATE_FILE"
++chmod u+w "$TEMPLATE_FILE"
++echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/" >>"$TEMPLATE_FILE"
++
++${CERTTOOL} \
++ --attime "${CERTDATE}" \
++ --generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
++ --load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
++ --load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \
++ --template "${TEMPLATE_FILE}" --outfile "${SERVER_CERT_BAD_FILE}" 2>/dev/null
++
+ echo "=== Bringing OCSP server up ==="
+
+ cp "${srcdir}/ocsp-tests/certs/ocsp_index.txt" ${INDEXFILE}
+@@ -486,6 +501,61 @@ kill "${TLS_SERVER_PID}"
+ wait "${TLS_SERVER_PID}"
+ unset TLS_SERVER_PID
+
++echo "=== Test 10: Server with revoked certificate - CVE-2026-3832 ==="
++
++# The revocation status was always mistakenly checked for the first cert.
++# Check a pair of responses: (irrelevant good unrevoked, relevant bad revoked).
++
++rm -f "${OCSP_RESPONSE_FILE}"
++
++"$FAKETIME" "${TESTDATE}" \
++ ${OPENSSL} ocsp -index "${INDEXFILE}" \
++ -issuer "${srcdir}/ocsp-tests/certs/ca.pem" \
++ -CA "${srcdir}/ocsp-tests/certs/ca.pem" \
++ -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
++ -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" \
++ -cert "${SERVER_CERT_FILE}" \
++ -cert "${SERVER_CERT_BAD_FILE}" \
++ -respout "${OCSP_RESPONSE_FILE}"
++
++eval "${GETPORT}"
++# Port for gnutls-serv
++TLS_SERVER_PORT=$PORT
++PORT=${TLS_SERVER_PORT}
++launch_bare_server \
++ "${SERV}" --attime "${TESTDATE}" --echo --disable-client-cert \
++ --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
++ --x509certfile="${SERVER_CERT_BAD_FILE}" \
++ --port="${TLS_SERVER_PORT}" \
++ --ocsp-response="${OCSP_RESPONSE_FILE}" --ignore-ocsp-response-errors
++TLS_SERVER_PID="${!}"
++wait_server $TLS_SERVER_PID
++
++wait_for_port "${TLS_SERVER_PORT}"
++
++out=$(
++ echo "test 123456" | \
++ "${CLI}" -d1 --attime "${TESTDATE}" --ocsp \
++ --x509cafile "${srcdir}/ocsp-tests/certs/ca.pem" \
++ --port "${TLS_SERVER_PORT}" localhost \
++ 2>&1
++ rc=$?
++)
++printf '%s\n' "$out"
++
++if test "${rc}" = "0"; then
++ echo 'ERROR: client accepted a revoked leaf (CVE-2026-3832)'
++ exit 1
++fi
++if ! echo "${out}" | grep "The certificate was revoked via OCSP" >/dev/null
++then
++ echo '"The certificate was revoked via OCSP" not found in output'
++ exit 1
++fi
++
++kill "${TLS_SERVER_PID}"
++wait "${TLS_SERVER_PID}"
++unset TLS_SERVER_PID
+
+ kill ${OCSP_PID}
+ wait ${OCSP_PID}
+--
+2.51.0
+
@@ -24,6 +24,8 @@ SRC_URI = "https://www.gnupg.org/ftp/gcrypt/gnutls/v${SHRT_VER}/gnutls-${PV}.tar
file://run-ptest \
file://Add-ptest-support.patch \
file://c99.patch \
+ file://CVE-2026-3832_p1.patch \
+ file://CVE-2026-3832_p2.patch \
"
SRC_URI[sha256sum] = "a7b341421bfd459acf7a374ca4af3b9e06608dcd7bd792b2bf470bea012b8e51"