<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mod_gnutls - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mod_gnutls/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 02 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mod_gnutls/feed.xml" rel="self" type="application/rss+xml"/><item><title>Mod_gnutls Certificate Chain Overflow Vulnerability (CVE-2026-33307)</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-mod-gnutls-cert-overflow/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-mod-gnutls-cert-overflow/</guid><description>Mod_gnutls versions prior to 0.12.3 and 0.13.0 are vulnerable to a certificate chain overflow when verifying client certificates, potentially leading to a segfault or stack corruption.</description><content:encoded><![CDATA[<p>A vulnerability exists in Mod_gnutls, a TLS module for Apache HTTPD, specifically affecting versions prior to 0.12.3 and 0.13.0. The flaw, identified as CVE-2026-33307, stems from the improper handling of client certificate verification. When a client presents a certificate chain, the module imports this chain into a fixed-size array without adequately checking if the number of certificates exceeds the array's capacity. Although the vulnerability doesn't directly permit writing attacker-controlled data into the stack buffer, exceeding the buffer size can trigger a segfault or, theoretically, cause stack corruption. This issue primarily impacts server configurations that actively utilize client certificates for authentication (i.e., configurations where <code>GnuTLSClientVerify ignore</code> is not set). The vulnerability has been addressed in Mod_gnutls versions 0.12.3 and 0.13.0.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker initiates a TLS connection to an Apache HTTPD server using mod_gnutls.</li>
<li>The server is configured to require or request client certificates for authentication.</li>
<li>The attacker crafts a malicious certificate chain containing more certificates than the server's buffer can hold.</li>
<li>The attacker sends the crafted certificate chain to the server during the TLS handshake.</li>
<li>Mod_gnutls attempts to import the oversized certificate chain into the fixed-size <code>gnutls_x509_crt_t x509[]</code> array.</li>
<li>Due to the missing size check, the import operation writes beyond the boundaries of the array.</li>
<li>This out-of-bounds write triggers a segmentation fault, causing the Apache HTTPD worker process to crash.</li>
<li>Alternatively, in some theoretical scenarios, stack corruption could occur, potentially leading to arbitrary code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability (CVE-2026-33307) can lead to a denial-of-service (DoS) condition, as the Apache HTTPD worker process crashes when processing the malicious certificate chain. This impacts servers configured to use client certificate authentication, potentially disrupting services for legitimate users. While widespread exploitation has not been reported, the CVSS v3.1 score of 7.5 indicates a significant risk, especially for systems relying on client certificate authentication.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Mod_gnutls to version 0.12.3 or 0.13.0 to remediate the vulnerability (CVE-2026-33307).</li>
<li>For users of Mod_gnutls 0.12.x who cannot immediately upgrade to 0.13.0, apply version 0.12.3, which provides the minimal fix.</li>
<li>Monitor Apache HTTPD server logs for crashes related to mod_gnutls and client certificate verification.</li>
<li>Consider temporarily disabling client certificate authentication if immediate patching is not feasible.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>mod_gnutls</category><category>apache</category><category>tls</category><category>certificate-overflow</category><category>cve-2026-33307</category><category>denial-of-service</category></item></channel></rss>