From a3e7c50d3e1761e5ef1d4b225507cab8f2b2c3ca Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Mon, 20 Apr 2026 22:42:20 +0200 Subject: x509/pkcs12_bag: fix off-by-one in bag element bounds check Appending elements to a PKCS#12 bag had a bounds check that prevented adding the 32nd element. On the other hand, it is possible to import one that already has 32. Subsequent appending then led to writing past the 32-element array, smashing its length. Tighten the check to reject any bag with 32 or more elements. We'll treat this vulnerability as a Low due to how contrived the requirements are: for the code to be vulnerable, it needs to append to an imported untrusted unencrypted PKCS#12 structure. Reported-by: Zou Dikai Fixes: #1840 Fixes: CVE-2026-42015 Fixes: GNUTLS-SA-2026-04-29-11 CVSS: 6.1 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H Severity: Low Signed-off-by: Alexander Sosedkin --- lib/x509/pkcs12_bag.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: gnutls-3.8.10/lib/x509/pkcs12_bag.c =================================================================== --- gnutls-3.8.10.orig/lib/x509/pkcs12_bag.c +++ gnutls-3.8.10/lib/x509/pkcs12_bag.c @@ -375,7 +375,7 @@ int gnutls_pkcs12_bag_set_data(gnutls_pk return GNUTLS_E_INVALID_REQUEST; } - if (bag->bag_elements == MAX_BAG_ELEMENTS - 1) { + if (bag->bag_elements >= MAX_BAG_ELEMENTS - 1) { gnutls_assert(); /* bag is full */ return GNUTLS_E_MEMORY_ERROR;