ubuntu-cve-2026-33307
Vulnerability from osv_ubuntu
Published
2026-03-24 02:16
Modified
2026-04-02 17:31
Summary
Details

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size gnutls_x509_crt_t x509[] array without checking the number of certificates is less than or equal to the array size. gnutls_x509_crt_t is a typedef for a pointer to an opaque GnuTLS structure created using with gnutls_x509_crt_init() before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (GnuTLSClientVerify ignore, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use gnutls_certificate_verify_peers(), removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.


{
  "affected": [
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libapache2-mod-gnutls",
            "binary_version": "0.7.3-0ubuntu1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:16.04:LTS",
        "name": "mod-gnutls",
        "purl": "pkg:deb/ubuntu/mod-gnutls@0.7.3-0ubuntu1?arch=source\u0026distro=xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.6-1.1",
        "0.7.3-0ubuntu1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libapache2-mod-gnutls",
            "binary_version": "0.8.2-3ubuntu1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "mod-gnutls",
        "purl": "pkg:deb/ubuntu/mod-gnutls@0.8.2-3ubuntu1?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8.2-3ubuntu1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libapache2-mod-gnutls",
            "binary_version": "0.9.0-1.1ubuntu1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "name": "mod-gnutls",
        "purl": "pkg:deb/ubuntu/mod-gnutls@0.9.0-1.1ubuntu1?arch=source\u0026distro=focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.8.2-3ubuntu1",
        "0.9.0-1.1ubuntu1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libapache2-mod-gnutls",
            "binary_version": "0.9.0-1.1ubuntu1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "mod-gnutls",
        "purl": "pkg:deb/ubuntu/mod-gnutls@0.9.0-1.1ubuntu1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.9.0-1.1ubuntu1"
      ]
    }
  ],
  "aliases": [],
  "details": "Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.",
  "id": "UBUNTU-CVE-2026-33307",
  "modified": "2026-04-02T17:31:26Z",
  "published": "2026-03-24T02:16:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-33307"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-33307"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-gjpm-55p4-c76r"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/airtower-luna/mod_gnutls/commit/bf4f08c49acae528e97885082cdee460f4534dc1"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "medium",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2026-33307"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…