VYPR
← All advisories
Medium severity4.3NVD Advisory· Published May 28, 2026· Updated May 29, 2026

CVE-2026-10028

CVE-2026-10028

Description

A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A crafted certificate chain with circular issuer relationships causes an infinite loop in the glib-networking GnuTLS backend, leading to a denial of service via CPU exhaustion.

Vulnerability

A flaw in glib-networking versions including 2.80.0-3.el10 allows a remote attacker to trigger an infinite loop during certificate verification. The bug resides in the GnuTLS backend where issuer links between GTlsCertificateGnutls objects are established. When a peer presents a certificate chain where two certificates mutually satisfy gnutls_x509_crt_check_issuer(), the in-memory chain becomes cyclic rather than terminating at a NULL issuer. The code that walks issuer links to convert the chain for GnuTLS has no cycle detection or depth bound, causing unbounded traversal [3].

Exploitation

An attacker must be able to present a specially crafted certificate chain to an application using glib-networking with the GnuTLS backend enabled. This typically occurs during a TLS handshake where certificate verification is performed, such as when a server verifies client certificates or a client connects to an attacker-controlled TLS server. The attacker supplies a chain where two certificates are configured to mutually satisfy the issuer check. No authentication or user interaction is required; the network connection itself triggers the vulnerable code path [2][3].

Impact

Successfully exploited, the infinite loop consumes excessive CPU resources, causing a denial of service for the affected process or worker thread. No confidentiality or integrity impact has been established [1][2].

Mitigation

As of the published date, no official fixed version of glib-networking has been released. The issue is tracked upstream in GNOME GitLab [3]. Users should monitor for a patched version once upstream coordination occurs. No workaround has been published in the available references [1][2][3].

References
  1. cve-details
  2. Infinite loop in glib-networking GnuTLS backend allows remote denial of service via circular certificate chain
  3. (CVE-2026-10028) (#YWH-PGM9867-278) Infinite loop in certification path building (#231) · Issues · GNOME / glib-networking · GitLab

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing cycle detection in certificate chain traversal allows a circular issuer relationship to cause an infinite loop during verification."

Attack vector

A remote attacker presents a crafted TLS certificate chain containing two cross-issued certificates that mutually satisfy `gnutls_x509_crt_check_issuer()` [ref_id=1]. When the GnuTLS backend builds the in-memory chain, certificate A is set as the issuer of B and B as the issuer of A, creating a cycle [ref_id=1][ref_id=2]. During verification, `convert_certificate_chain_to_gnutls()` walks issuer links until NULL, but the cycle prevents termination, causing the handshake thread to spin indefinitely and consume CPU [ref_id=1]. The attacker needs only network access to present the crafted chain during a TLS handshake where certificate verification is exercised [ref_id=1].

Affected code

The vulnerability resides in `tls/gnutls/gtlsdatabase-gnutls.c` in the `convert_certificate_chain_to_gnutls()` function, which walks issuer links without cycle detection [ref_id=1]. The cyclic chain is constructed in `tls/gnutls/gtlscertificate-gnutls.c` where issuer links are set based on `gnutls_x509_crt_check_issuer()` without preventing mutual issuer relationships [ref_id=1].

What the fix does

The proposed patch adds a `GHashTable` to track visited certificates and a maximum depth bound of 100 in `convert_certificate_chain_to_gnutls()` [ref_id=1]. Both traversal loops now check whether the current certificate has already been seen or the depth limit has been reached, and jump to a `fail` label that frees resources and returns NULL [ref_id=1]. The caller is updated to handle a NULL return by failing with `G_TLS_CERTIFICATE_GENERIC_ERROR` instead of proceeding with an unbounded loop [ref_id=1]. This closes the vulnerability by rejecting malformed cyclic chains rather than traversing them indefinitely.

Preconditions

  • configApplication uses glib-networking with the GnuTLS backend enabled
  • configApplication performs certificate verification on a peer-supplied chain (e.g., server verifying client certificates, or client connecting to attacker-controlled TLS server)
  • networkAttacker can present a crafted certificate chain during a TLS handshake
  • authNo prior authentication required to supply the peer certificate chain

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.