Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size gnutls_x509_crt_t x509[] array without checking the number of certificates is less than or equal to the array size. gnutls_x509_crt_t is a typedef for a pointer to an opaque GnuTLS structure created using with gnutls_x509_crt_init() before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (GnuTLSClientVerify ignore, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use gnutls_certificate_verify_peers(), removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.
AnalysisAI
Mod_gnutls, a TLS module for Apache HTTPD, contains a stack-based buffer overflow vulnerability in its client certificate verification code. Versions prior to 0.12.3 and 0.13.0 fail to validate the length of client-provided certificate chains before writing pointers to a fixed-size array, typically causing segmentation faults (denial of service) and theoretically enabling stack corruption. Only configurations explicitly requiring client certificate verification are affected; default configurations using 'GnuTLSClientVerify ignore' are not vulnerable.
Technical ContextAI
The affected product is mod_gnutls (CPE: cpe:2.3:a:airtower-luna:mod_gnutls:*:*:*:*:*:*:*:*), an Apache HTTPD module providing TLS functionality via the GnuTLS library rather than OpenSSL. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). During client certificate verification, the code imports certificate chains into a fixed-size array of gnutls_x509_crt_t pointers without bounds checking. While gnutls_x509_crt_t is a typedef for a pointer to an opaque structure initialized via gnutls_x509_crt_init(), writing beyond the array boundary corrupts the stack by overwriting adjacent memory with structure pointers rather than attacker-controlled data directly, which generally results in crashes but could theoretically enable more sophisticated exploitation.
RemediationAI
Upgrade mod_gnutls to version 0.12.3 or later for a minimal bounds-checking fix, or to version 0.13.0 or later for a comprehensive rewrite that eliminates the vulnerable buffer by implementing gnutls_certificate_verify_peers() instead. The fix commit is available at https://github.com/airtower-luna/mod_gnutls/commit/bf4f08c49acae528e97885082cdee460f4534dc1. Version 0.12.3 provides the minimal security patch for users on the 0.12.x branch who cannot immediately upgrade to 0.13.0. According to the advisory, no workaround exists other than upgrading; organizations unable to patch immediately should consider disabling client certificate verification if not operationally required, though this may break authentication mechanisms.
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14692