CVE-2026-10028

medium

Published 2026-05-28 · Modified 2026-05-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

4.3

Description

A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.

Predictions

Exploit likelihood

53%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-10028 NameCVE-2026-10028 DescriptionA flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during…

CVE-2026-10028

Name	CVE-2026-10028
Description	A flaw was found in glib-networking. A remote attacker can exploit this vulnerability by presenting a specially crafted certificate chain to an application that uses glib-networking with the GnuTLS backend enabled and performs certificate verification. This crafted chain, which contains circular issuer relationships, can cause an infinite loop during certificate verification. The unbounded traversal consumes excessive CPU resources, leading to a denial of service for the affected process or worker.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
glib-networking (PTS)	bullseye	2.66.0-2	vulnerable
	bookworm	2.74.0-4	vulnerable
	forky, sid, trixie	2.80.1-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
glib-networking	source	(unstable)	(unfixed)

Notes

[trixie] - glib-networking <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - glib-networking <postponed> (Minor issue, revisit when fixed upstream)
https://bugzilla.redhat.com/show_bug.cgi?id=2465152
https://gitlab.gnome.org/GNOME/glib-networking/-/work_items/231

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

[trixie] - glib-networking <postponed> (Minor issue, revisit when fixed upstream)[bookworm] - glib-networking <postponed> (Minor issue, revisit when fixed upstream)https://bugzilla.redhat.com/show_bug.cgi?id=2465152https://gitlab.gnome.org/GNOME/glib-networking/-/work_items/231

OS impact

OS	Version	Status
debian	bookworm	affected
debian	bullseye	affected
debian	forky	affected
debian	sid	affected
debian	trixie	affected

References

CWEs

CWE-835

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.