CVE-2026-33307

{"id": "CVE-2026-33307", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-24T02:16:05.283", "references": [{"url": "https://github.com/airtower-luna/mod_gnutls/commit/bf4f08c49acae528e97885082cdee460f4534dc1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-gjpm-55p4-c76r", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-121"}]}], "descriptions": [{"lang": "en", "value": "Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet."}, {"lang": "es", "value": "Mod_gnutls es un m\u00f3dulo TLS para Apache HTTPD basado en GnuTLS. En versiones anteriores a la 0.12.3 y 0.13.0, el c\u00f3digo para la verificaci\u00f3n de certificados del cliente importaba la cadena de certificados enviada por el cliente a un array de tama\u00f1o fijo gnutls_x509_crt_t x509[] sin comprobar que el n\u00famero de certificados fuera menor o igual al tama\u00f1o del array. gnutls_x509_crt_t es un typedef para un puntero a una estructura opaca de GnuTLS creada usando gnutls_x509_crt_init() antes de importar datos de certificado en ella, por lo que no se escribieron datos controlados por el atacante en el b\u00fafer de pila, pero escribir un puntero despu\u00e9s del \u00faltimo elemento del array generalmente provocaba un segfault, y te\u00f3ricamente podr\u00eda causar corrupci\u00f3n de pila de otra manera (no observado en la pr\u00e1ctica). Las configuraciones del servidor que no utilizan certificados de cliente (GnuTLSClientVerify ignore, el valor predeterminado) no se ven afectadas. El problema se ha solucionado en la versi\u00f3n 0.12.3 comprobando la longitud de la cadena de certificados proporcionada y rechaz\u00e1ndola si excede la longitud del b\u00fafer, y en la versi\u00f3n 0.13.0 reescribiendo la verificaci\u00f3n de certificados para usar gnutls_certificate_verify_peers(), eliminando por completo la necesidad del b\u00fafer. No hay soluci\u00f3n alternativa. La versi\u00f3n 0.12.3 proporciona la soluci\u00f3n m\u00ednima para los usuarios de 0.12.x que a\u00fan no desean actualizar a la 0.13.0."}], "lastModified": "2026-03-24T19:29:26.120", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mod_gnutls_project:mod_gnutls:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D9C870F-6C79-4E53-804A-A0F9893B31A3", "versionEndExcluding": "0.12.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}