Client-cert chain overflow can crash mod_gnutls servers
TL;DR — A malformed TLS client-certificate chain can trigger a crash in mod_gnutls when mTLS client verification is enabled, turning client auth into a remotely reachable DoS path.
What happened
mod_gnutls is a TLS module for Apache HTTPD that terminates TLS using the GnuTLS library, commonly used when operators want GnuTLS features (including client-certificate authentication) integrated directly into httpd.
CVE-2026-33307 describes a bug in the client-certificate verification path where mod_gnutls imported the certificate chain provided by the client into a fixed-size gnutls_x509_crt_t x509[] array without validating that the chain length fits. The CVE notes the overflow writes pointers (not attacker-controlled bytes) and “generally triggered a segfault,” with theoretical (but not observed) potential for stack corruption.
This matters operationally because mTLS endpoints are frequently internet-facing for B2B integrations, and “crash-on-parse” bugs in handshake-time code paths are easy to probe at scale and can cause noisy but real availability incidents.
Who is impacted
- Apache HTTPD deployments using
mod_gnutlswhere client-certificate verification is enabled. - Per the CVE description, configurations that do not use client certificates are not affected (default setting is called out).
| Component | Affected versions (per description) | Patched versions (per description) |
|---|---|---|
mod_gnutls client certificate verification | prior to 0.12.3 and 0.13.0 | 0.12.3, 0.13.0 |
Note: the CVE record’s structured “affected” field lists only < 0.12.3, while the narrative description discusses fixes in both 0.12.3 and 0.13.0. Treat this as a multi-branch fix and validate against your deployed branch.
What to do now
- Follow upstream remediation guidance and apply the latest patched release available at the time of writing.
"There is no workaround."
- If you do not need mTLS client-certificate verification on a given listener, reduce exposure by ensuring client cert verification is not enabled on that endpoint.
"Server configurations that do not use client certificates (
GnuTLSClientVerify ignore, the default) are not affected." - Inventory where
mod_gnutlsis deployed (including reverse proxies and “legacy” httpd front-ends) and identify which vhosts/listeners have client certificate verification enabled. - Treat unexplained httpd worker crashes as a potential signal: correlate segfaults/restarts with TLS handshake traffic spikes and source IPs hitting mTLS endpoints.
Additional Information
- GitHub Security Advisory referenced by the CVE:
GHSA-gjpm-55p4-c76r. - The CVE title contains a typo (“mod_gnutils” vs
mod_gnutls); use the CVE ID when correlating across scanners and advisories.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.