Description
A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in glib-networking’s GnuTLS backend, where supplying a certificate chain that contains circular issuer relationships triggers an unbounded loop during verification, consuming excessive CPU cycles. This unlimited traversal can stall the process that performs verification, effectively denying service to legitimate requests. The issue is a classic infinite‑loop flaw (CWE‑835).

Affected Systems

This flaw affects the bundled glib‑networking package in Red Hat Enterprise Linux 6 through 10, across all releases that ship the GnuTLS backend. Any service or application that employs glib‑networking to validate TLS certificates – for example, web servers, mail servers, or custom network utilities – is potentially vulnerable on these distributions.

Risk and Exploitability

The CVSS score of 4.3 classifies the weakness as moderate in severity. The EPSS score is unknown, indicating there is no published data on current exploitation activity. The vulnerability is not listed in CISA’s KEV catalog. Attackers likely exploit this over the network by delivering a crafted certificate chain to a target that verifies certificates; no additional privileges or local access are required once the verification request is received.

Generated by OpenCVE AI on May 28, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the glib-networking package to the latest available release that contains the fix for the infinite loop in certificate verification.
  • If a patch is not yet available, temporarily disable the GnuTLS backend in glib-networking or configure affected services to skip certificate verification to avoid processing the circular chain.
  • Implement system‑level resource limits or continuous monitoring for abnormal CPU usage on affected processes, and consider restarting the service when a spike is detected to mitigate denial of service.

Generated by OpenCVE AI on May 28, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.
Title Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of service via circular certificate chain
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-835
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-29T13:17:58.872Z

Reserved: 2026-05-28T18:26:36.325Z

Link: CVE-2026-10028

cve-icon Vulnrichment

Updated: 2026-05-29T13:17:55.415Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T23:16:44.213

Modified: 2026-05-29T02:47:03.023

Link: CVE-2026-10028

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-28T22:27:36Z

Links: CVE-2026-10028 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T00:00:12Z

Weaknesses