CVE-2026-33307
Received Received - Intake
Buffer Overflow in Mod_gnutls Client Certificate Verification

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33307
EUVD
EUVD-2026-14692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mod_gnutls_project mod_gnutls to 0.12.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33307 is a vulnerability in the mod_gnutls TLS module for Apache HTTPD that occurs when the server imports a client certificate chain into a fixed-size array without checking if the chain length exceeds the array size.

Specifically, the code uses an array of pointers to GnuTLS certificate structures, and if the client sends more certificates than the array can hold, the code writes beyond the array boundary. This typically causes a segmentation fault (crash) and could theoretically cause stack corruption, although no such corruption has been observed.

The vulnerability affects server configurations that require client certificates and is fixed by rejecting certificate chains longer than the buffer size or by rewriting the verification code to avoid the fixed buffer entirely.


How can this vulnerability impact me? :

This vulnerability can cause the Apache HTTPD server using mod_gnutls to crash (segmentation fault) when processing a client certificate chain that is longer than the allowed buffer size.

The impact is a denial of service (availability impact) because the server process may terminate unexpectedly, disrupting service.

There is no direct impact on confidentiality or integrity, and no attacker-controlled data is written into the stack buffer, but the crash can be triggered remotely without privileges or user interaction.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the Apache HTTPD server logs for error messages indicating that a client certificate chain length exceeded the maximum supported length.'}, {'type': 'paragraph', 'content': 'Specifically, the server logs an error when the certificate chain length (cert_list_size) is greater than the fixed buffer size (MAX_CHAIN_SIZE), and the request is denied with HTTP_FORBIDDEN.'}, {'type': 'paragraph', 'content': 'To detect attempts to exploit this vulnerability, you can check the Apache error logs for messages related to client certificate chain length exceeding the limit.'}, {'type': 'paragraph', 'content': 'Example commands to check logs on a typical Linux system might include:'}, {'type': 'list_item', 'content': "sudo grep -i 'certificate chain length' /var/log/apache2/error.log"}, {'type': 'list_item', 'content': "sudo journalctl -u apache2 | grep -i 'certificate chain length'"}, {'type': 'list_item', 'content': "tail -f /var/log/apache2/error.log | grep --line-buffered 'certificate chain length'"}, {'type': 'paragraph', 'content': 'Additionally, you can verify the mod_gnutls version installed to ensure it is 0.12.3 or later, as earlier versions are vulnerable.'}, {'type': 'list_item', 'content': 'apachectl -M | grep gnutls'}, {'type': 'list_item', 'content': 'dpkg -l | grep mod-gnutls (on Debian-based systems)'}, {'type': 'list_item', 'content': 'rpm -qa | grep mod-gnutls (on RPM-based systems)'}] [1]


What immediate steps should I take to mitigate this vulnerability?

The primary and immediate mitigation step is to upgrade mod_gnutls to version 0.12.3 or later.

Version 0.12.3 introduces a check on the client certificate chain length and rejects chains that exceed the fixed buffer size, preventing the vulnerability from being exploited.

If upgrading to version 0.13.0 is not immediately possible, version 0.12.3 provides a minimal fix and should be applied as soon as possible.

There is no workaround other than upgrading the software.

Additionally, if your server configuration does not require client certificates (i.e., uses the default setting GnuTLSClientVerify ignore), it is not affected by this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart