diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
index 3b6051fad3..9a71dff8b4 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/Manifest
@@ -1,4 +1,4 @@
-DIST gnutls-3.8.8.tar.xz 6696460 BLAKE2B d1498b0b9f14789599fd5b984d5370b632611f2702e9f4fc504ddba2a3e0dd4137bec858eb6150d031f9f50e6b3a3a7d905864f0a9f50a1f01e5ea8f37a44ba8 SHA512 4f617c63e8e8392e400d72c9e39989fcd782268b4a4c4e36bbfb0444a4b5bcb0f53054f04a6dce99ab89c0f38f57430c95aaaec6eb9209b8e9329140abf230c3
-DIST gnutls-3.8.8.tar.xz.sig 580 BLAKE2B 11a30f09e3a478615df2c6a0e40c0b9b2aad5794a82ae0cc871fcf3699b5d9725c9d04708c6f0b983da6e21f90a81f7550e723d0d04f97d1a16d526efbe91b1e SHA512 fdff792511e9e5de203a1dfd66bf521c12fb74a19de651ffa1f7359dafdd1dad59ae57d0f95fa363c4167f798e6b624b4ae1f84d4e0737ff690c2fb0e5a5bdce
+DIST gnutls-3.8.10.tar.xz 6909856 BLAKE2B 0b62e93b2818d2265ca11e561724547fa3c24d08986eb77ea743b4af52773db975c1859164c7d405d9a9bedfa981af58f10f85100b6c0e3542a38c49af407a4d SHA512 d453bd4527af95cb3905ce8753ceafd969e3f442ad1d148544a233ebf13285b999930553a805a0511293cc25390bb6a040260df5544a7c55019640f920ad3d92
+DIST gnutls-3.8.10.tar.xz.sig 566 BLAKE2B 32af044eb25978b752428d72a597f44457b6f3979d79e5b9e224523d6ef3bd213a0887960dddce84b97db78a9ebbbbd6b034adaa0dd7a1dd2d1db30527f5b42c SHA512 72d6dd2c23f768f5041c3dca0f49b3f60cd01fc960ce77f097094a2aae6d76fddeb6295c425e3750c711d5f700957a62268aecc4873e53c31abb60eecf0fd4a8
 DIST gnutls-3.8.9.tar.xz 6847364 BLAKE2B 0fd4751e24649a9c4b8ee7616350a4b6a504ec10b3ef39b450af25abc4935f30df9e8f732435166516f89c692ac7cb7a0aafb76c4c86c1faff53119840d26ae7 SHA512 b3b201671bf4e75325610a0291d4cd36a669718e22b3685246b64bde97b5bd94f463ab376ed817869869714115f4ff11bdc53c32604bb04a8ff8e10daa6d1fc7
 DIST gnutls-3.8.9.tar.xz.sig 566 BLAKE2B 3e723c90186a00b33f1d036c564039f7340ae495400f05d31bb054dad93a9529be4761ba9f97b2df51e8483dd1433c902cf5b8f9bdc127d0f540c9faf82a8f1c SHA512 5a47a519ef35f21b59e2122528246d6109dd95667bfe5d01713b9a7efa2931f8523bf325b8824433f3117d63e0e50d66f8c467a7ee4bd2068ae039601a28441e
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.8.10-tests.patch b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.8.10-tests.patch
new file mode 100644
index 0000000000..22bb421345
--- /dev/null
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/files/gnutls-3.8.10-tests.patch
@@ -0,0 +1,98 @@
+https://gitlab.com/gnutls/gnutls/-/merge_requests/1980
+
+From 9741943dc87c46d609282a1c0bba6e19d6123c91 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 10 Jul 2025 05:53:32 +0900
+Subject: [PATCH 1/3] tests: make cert-tests/mldsa.sh work in VPATH build
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/cert-tests/mldsa.sh | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/tests/cert-tests/mldsa.sh b/tests/cert-tests/mldsa.sh
+index 7e31e113d5..55e31ce5a7 100644
+--- a/tests/cert-tests/mldsa.sh
++++ b/tests/cert-tests/mldsa.sh
+@@ -130,7 +130,7 @@ for variant in 44 65 87; do
+ 	# Check default
+ 	TMPKEYDEFAULT=$testdir/key-$algo-$format-default
+ 	TMPKEY=$testdir/key-$algo-$format
+-	${VALGRIND} "${CERTTOOL}" -k --no-text --infile "data/key-$algo-$format.pem" >"$TMPKEYDEFAULT"
++	${VALGRIND} "${CERTTOOL}" -k --no-text --infile "$srcdir/data/key-$algo-$format.pem" >"$TMPKEYDEFAULT"
+ 	if [ $? != 0 ]; then
+ 	    cat "$TMPKEYDEFAULT"
+ 	    exit 1
+@@ -138,19 +138,19 @@ for variant in 44 65 87; do
+ 
+ 	# The "expandedKey" format doesn't have public key part
+ 	if [ "$format" = seed ] || [ "$format" = both ]; then
+-	    if ! "${DIFF}" "$TMPKEYDEFAULT" "data/key-$algo-both.pem"; then
++	    if ! "${DIFF}" "$TMPKEYDEFAULT" "$srcdir/data/key-$algo-both.pem"; then
+ 		exit 1
+ 	    fi
+ 	fi
+ 
+ 	# Check roundtrip with --key-format
+-	${VALGRIND} "${CERTTOOL}" -k --no-text --key-format "$format" --infile "data/key-$algo-$format.pem" >"$TMPKEY"
++	${VALGRIND} "${CERTTOOL}" -k --no-text --key-format "$format" --infile "$srcdir/data/key-$algo-$format.pem" >"$TMPKEY"
+ 	if [ $? != 0 ]; then
+ 	    cat "$TMPKEY"
+ 	    exit 1
+ 	fi
+ 
+-	if ! "${DIFF}" "$TMPKEY" "data/key-$algo-$format.pem"; then
++	if ! "${DIFF}" "$TMPKEY" "$srcdir/data/key-$algo-$format.pem"; then
+ 	    exit 1
+ 	fi
+     done
+@@ -164,7 +164,7 @@ for n in 1; do
+     fi
+ 
+     echo "Testing inconsistent ML-DSA key ($n)"
+-    if "${CERTTOOL}" -k --infile "data/key-mldsa-inconsistent$n.pem"; then
++    if "${CERTTOOL}" -k --infile "$srcdir/data/key-mldsa-inconsistent$n.pem"; then
+ 	exit 1
+     fi
+ done
+-- 
+GitLab
+
+From d2f4c53c6cdf1879101a8faa868994730485f8d3 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <ueno@gnu.org>
+Date: Thu, 10 Jul 2025 05:58:52 +0900
+Subject: [PATCH 3/3] tests: skip system-override-compress-cert.sh if no brotli
+ nor zstd
+
+Signed-off-by: Daiki Ueno <ueno@gnu.org>
+---
+ tests/system-override-compress-cert.sh | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/tests/system-override-compress-cert.sh b/tests/system-override-compress-cert.sh
+index 83cf8cf9d0..afa60f2cbb 100755
+--- a/tests/system-override-compress-cert.sh
++++ b/tests/system-override-compress-cert.sh
+@@ -19,6 +19,8 @@
+ # You should have received a copy of the GNU Lesser General Public License
+ # along with this program.  If not, see <https://www.gnu.org/licenses/>
+ 
++: ${CLI=../src/gnutls-cli${EXEEXT}}
++
+ TEST=${builddir}/compress-cert-conf
+ CONF=config.$$.tmp
+ export GNUTLS_SYSTEM_PRIORITY_FILE=${CONF}
+@@ -28,6 +30,11 @@ if test "${WINDIR}" != ""; then
+ 	exit 77
+ fi
+ 
++if ! "$CLI" --list | grep '^Compression: .*COMP-\(BROTLI\|ZSTD\)'; then
++	echo "Not built with brotli and zstd, skipping" 1>&2
++	exit 77
++fi
++
+ cat <<_EOF_ > ${CONF}
+ [overrides]
+ cert-compression-alg = brotli
+-- 
+GitLab
diff --git a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.8.ebuild b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild
similarity index 87%
rename from sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.8.ebuild
rename to sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild
index f370dd7989..e017318e00 100644
--- a/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.8.ebuild
+++ b/sdk_container/src/third_party/portage-stable/net-libs/gnutls/gnutls-3.8.10.ebuild
@@ -4,7 +4,7 @@
 EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnutls.asc
-inherit autotools multilib-minimal verify-sig
+inherit libtool multilib-minimal verify-sig
 
 DESCRIPTION="A secure communications library implementing the SSL, TLS and DTLS protocols"
 HOMEPAGE="https://www.gnutls.org/"
@@ -17,7 +17,7 @@ LICENSE="GPL-3 LGPL-2.1+"
 # Subslot format:
 # <libgnutls.so number>.<libgnutlsxx.so number>
 SLOT="0/30.30"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 IUSE="brotli +cxx dane doc examples +idn nls +openssl pkcs11 sslv2 sslv3 static-libs test test-full +tls-heartbeat tools zlib zstd"
 REQUIRED_USE="test-full? ( cxx dane doc examples idn nls openssl pkcs11 tls-heartbeat tools )"
 RESTRICT="!test? ( test )"
@@ -66,6 +66,10 @@ QA_CONFIG_IMPL_DECL_SKIP=(
 	static_assert
 )
 
+PATCHES=(
+	"${FILESDIR}"/${PN}-3.8.10-tests.patch
+)
+
 src_prepare() {
 	default
 
@@ -79,11 +83,16 @@ src_prepare() {
 	# fails to compile in certain configurations
 	sed -i -e 's/__APPLE__/__NO_APPLE__/' lib/system/certs.c || die
 
-	# Use sane .so versioning on FreeBSD.
-	#elibtoolize
+	# Fails with some combinations of USE="brotli zlib zstd"
+	# https://gitlab.com/gnutls/gnutls/-/issues/1721
+	# https://gitlab.com/gnutls/gnutls/-/merge_requests/1980
+	cat <<-EOF > tests/system-override-compress-cert.sh || die
+	#!/bin/sh
+	exit 77
+	EOF
+	chmod +x tests/system-override-compress-cert.sh || die
 
-	# Switch back to elibtoolize after 3.8.7.1
-	eautoreconf
+	elibtoolize
 }
 
 multilib_src_configure() {
@@ -125,11 +134,11 @@ multilib_src_configure() {
 		$(use_enable sslv3 ssl3-support)
 		$(use_enable static-libs static)
 		$(use_enable tls-heartbeat heartbeat-support)
-		$(use_with brotli)
+		$(use_with brotli '' link)
 		$(use_with idn)
 		$(use_with pkcs11 p11-kit)
-		$(use_with zlib)
-		$(use_with zstd)
+		$(use_with zlib '' link)
+		$(use_with zstd '' link)
 		--disable-rpath
 		--with-default-trust-store-file="${EPREFIX}"/etc/ssl/certs/ca-certificates.crt
 		--with-unbound-root-key-file="${EPREFIX}"/etc/dnssec/root-anchors.txt