Description
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack-based buffer overflow during client certificate chain import that can cause a crash or stack corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in Mod_gnutls’s processing of client certificate chains. Prior to version 0.12.3 and 0.13.0 the verification routine copied the chain into a fixed-size array of gnutls_x509_crt_t pointers without validating that the number of certificates did not exceed the buffer bounds. This can overwrite memory adjacent to the array, leading to a crash or, in theory, corrupting the stack. The bug does not allow attackers to write arbitrary data into the buffer, but the result is a denial‑of‑service and a potential remote stack corruption attack vector.

Affected Systems

Affected installations of airtower‑luna’s Mod_gnutls TLS module for Apache HTTPD are vulnerable in versions older than 0.12.3 and older than 0.13.0. Servers that do not enable client certificate verification (the default configuration) are not impacted.

Risk and Exploitability

The CVSS score is 7.5, reflecting high severity. An EPSS score of less than 1 % indicates low current exploitation probability, and it is not listed in the CISA KEV catalog. Exploitation requires a client to present an excessively long certificate chain, so the attack vector is remote from a client. No workaround exists; the only mitigation is to upgrade to a fixed version.

Generated by OpenCVE AI on March 24, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mod_gnutls to version 0.12.3 or later.
  • Prefer upgrading to version 0.13.0, where the verification logic has been rewritten and the buffer issue removed.
  • If an upgrade cannot be performed immediately, verify that the server is not configured to require client certificates, since the default configuration is unaffected.

Generated by OpenCVE AI on March 24, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Mod Gnutls Project
Mod Gnutls Project mod Gnutls
CPEs cpe:2.3:a:mod_gnutls_project:mod_gnutls:*:*:*:*:*:*:*:*
Vendors & Products Mod Gnutls Project
Mod Gnutls Project mod Gnutls

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Airtower-luna
Airtower-luna mod Gnutls
Vendors & Products Airtower-luna
Airtower-luna mod Gnutls

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.
Title mod_gnutils has stack-based buffer overflow caused by a long client certificate chain
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Airtower-luna Mod Gnutls
Mod Gnutls Project Mod Gnutls
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:12:34.370Z

Reserved: 2026-03-18T21:23:36.675Z

Link: CVE-2026-33307

cve-icon Vulnrichment

Updated: 2026-03-24T14:12:25.668Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T02:16:05.283

Modified: 2026-03-24T19:29:26.120

Link: CVE-2026-33307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:31Z

Weaknesses