Skip to main content

Apache EUVDEUVD-2026-14692

| CVE-2026-33307 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-03-24 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:18 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
0.12.3
EUVD ID Assigned
Mar 24, 2026 - 01:45 euvd
EUVD-2026-14692
Analysis Generated
Mar 24, 2026 - 01:45 vuln.today
CVE Published
Mar 24, 2026 - 01:34 nvd
HIGH 7.5

DescriptionGitHub Advisory

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size gnutls_x509_crt_t x509[] array without checking the number of certificates is less than or equal to the array size. gnutls_x509_crt_t is a typedef for a pointer to an opaque GnuTLS structure created using with gnutls_x509_crt_init() before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (GnuTLSClientVerify ignore, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use gnutls_certificate_verify_peers(), removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.

AnalysisAI

Mod_gnutls, a TLS module for Apache HTTPD, contains a stack-based buffer overflow vulnerability in its client certificate verification code. Versions prior to 0.12.3 and 0.13.0 fail to validate the length of client-provided certificate chains before writing pointers to a fixed-size array, typically causing segmentation faults (denial of service) and theoretically enabling stack corruption. Only configurations explicitly requiring client certificate verification are affected; default configurations using 'GnuTLSClientVerify ignore' are not vulnerable.

Technical ContextAI

The affected product is mod_gnutls (CPE: cpe:2.3:a:airtower-luna:mod_gnutls:*:*:*:*:*:*:*:*), an Apache HTTPD module providing TLS functionality via the GnuTLS library rather than OpenSSL. The vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). During client certificate verification, the code imports certificate chains into a fixed-size array of gnutls_x509_crt_t pointers without bounds checking. While gnutls_x509_crt_t is a typedef for a pointer to an opaque structure initialized via gnutls_x509_crt_init(), writing beyond the array boundary corrupts the stack by overwriting adjacent memory with structure pointers rather than attacker-controlled data directly, which generally results in crashes but could theoretically enable more sophisticated exploitation.

RemediationAI

Upgrade mod_gnutls to version 0.12.3 or later for a minimal bounds-checking fix, or to version 0.13.0 or later for a comprehensive rewrite that eliminates the vulnerable buffer by implementing gnutls_certificate_verify_peers() instead. The fix commit is available at https://github.com/airtower-luna/mod_gnutls/commit/bf4f08c49acae528e97885082cdee460f4534dc1. Version 0.12.3 provides the minimal security patch for users on the 0.12.x branch who cannot immediately upgrade to 0.13.0. According to the advisory, no workaround exists other than upgrading; organizations unable to patch immediately should consider disabling client certificate verification if not operationally required, though this may break authentication mechanisms.

Share

EUVD-2026-14692 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy