CVE-2026-33307

High

Published: 24 March 2026

Published

24 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 14.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33307 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Mod Gnutls Project Mod Gnutls. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through patching mod_gnutls to version 0.12.3 or later directly eliminates the buffer overflow vulnerability in client certificate chain processing.

SI-10 Information Input Validation good match

prevent

Validating the length of the client certificate chain before importing into the fixed-size array prevents the stack buffer overflow during TLS handshake.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms such as stack canaries and address space layout randomization mitigate potential stack corruption from out-of-bounds pointer writes in the certificate array.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables remote exploitation of a public-facing Apache web server module (T1190) via malicious TLS client certificate chains, directly resulting in application crash and endpoint DoS through software vulnerability exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking…

the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet.

Deeper analysisAI

CVE-2026-33307 is a stack-based buffer overflow vulnerability (CWE-121) in Mod_gnutls, a TLS module for the Apache HTTP Server based on GnuTLS. It affects versions prior to 0.12.3 and 0.13.0. The flaw resides in the client certificate verification code, which imports the certificate chain sent by the client into a fixed-size array of gnutls_x509_crt_t structures without verifying that the number of certificates does not exceed the array size. Although no attacker-controlled data directly overwrites the stack buffer, writing a pointer beyond the array bounds typically causes a segmentation fault, with theoretical potential for stack corruption that has not been observed.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity by providing an overly long client certificate chain during the TLS handshake. Exploitation requires server configurations that enable client certificate verification, such as those overriding the default GnuTLSClientVerify ignore setting; default configurations are unaffected. Successful exploitation generally results in a server process crash and denial of service, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with no impact on confidentiality or integrity.

The issue is fixed in version 0.12.3 by adding a check on the certificate chain length and rejecting chains that exceed the buffer size, providing a minimal patch for 0.12.x users. Version 0.13.0 addresses it more comprehensively by rewriting certificate verification to use gnutls_certificate_verify_peers(), eliminating the fixed buffer entirely. No workaround exists. See the fix commit at https://github.com/airtower-luna/mod_gnutls/commit/bf4f08c49acae528e97885082cdee460f4534dc1 and the security advisory at https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-gjpm-55p4-c76r for further details.