Skip to main content

GnuTLS CVE-2026-42010

| EUVDEUVD-2026-28354 CRITICAL
Null Byte Interaction Error (Poison Null Byte) (CWE-626)
2026-05-07 secalert@redhat.com GHSA-m3r7-xjq8-gc4r
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.4 HIGH

Network, no auth or interaction, but AC:H because exploitation requires the non-default RSA-PSK configuration plus a crafted NUL-byte identity; impact is unauthorized access (C:H/I:H) with no clear availability loss (A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
SUSE
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Red Hat
7.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 24, 2026 - 17:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 24, 2026 - 17:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 24, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
Jun 24, 2026 - 17:22 NVD
HIGH CRITICAL
CVSS changed
Jun 24, 2026 - 17:22 NVD
7.1 (HIGH) 9.8 (CRITICAL)
Analysis Generated
May 07, 2026 - 12:45 vuln.today
CVE Published
May 07, 2026 - 12:16 nvd
HIGH 7.1

DescriptionNVD

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest-Shamir-Adleman - Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

AnalysisAI

Authentication bypass in GnuTLS affects servers that enable the RSA-PSK key exchange, where the PSK identity comparison treats a username containing an embedded NUL byte as equal to a legitimate truncated username. Remote attackers can send a crafted username to circumvent pre-shared-key authentication and gain unauthorized access. There is no public exploit identified at time of analysis, the EPSS probability is low (0.15%), and CISA SSVC scores exploitation as none - indicating high theoretical severity but no observed real-world abuse.

Technical ContextAI

GnuTLS is the GNU implementation of the TLS/SSL and DTLS protocols, bundled across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, Red Hat hardened images, and Ubuntu. The flaw lives in the RSA-PSK (Pre-Shared Key with RSA) ciphersuite path, a TLS key-exchange mode that authenticates a peer by a shared secret tied to a username/identity hint. The root cause maps to CWE-626 (Null Byte Interaction Error): the identity string is compared in a way that mishandles an embedded NUL, so a value such as 'admin\0extra' is wrongly matched against the stored 'admin' identity, effectively truncating the comparison and defeating the intended PSK identity check.

RemediationAI

Patch available per vendor advisory: apply the fixed GnuTLS packages from your distribution. Red Hat customers should install the relevant errata - RHSA-2026:13274 (https://access.redhat.com/errata/RHSA-2026:13274) and the follow-on advisories RHSA-2026:20611, RHSA-2026:20612, RHSA-2026:20613, RHSA-2026:26319, RHSA-2026:26409, and RHSA-2026:29197 - matched to your RHEL/OpenShift version. Ubuntu users should apply USN-8284-1 (https://ubuntu.com/security/notices/USN-8284-1). Exact upstream fixed GnuTLS version numbers were not provided in the input and should be confirmed from the linked advisories rather than assumed. As an immediate compensating control where patching must wait, disable the RSA-PSK ciphersuite in the affected server's GnuTLS priority string (remove RSA-PSK key exchange from the configured priorities); the trade-off is that any legitimate clients depending on RSA-PSK authentication will lose connectivity, so confirm no production clients rely on it before disabling. Services that do not use RSA-PSK are not exposed and need only routine patching.

More in Gnutls

View all
CVE-2021-20231 CRITICAL POC
9.8 Mar 12

A flaw was found in gnutls. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentic

CVE-2014-3466 MEDIUM POC
6.8 Jun 03

Buffer overflow in the read_server_hello function in lib/gnutls_handshake.c in GnuTLS before 3.1.25, 3.2.x before 3.2.15

CVE-2024-0553 HIGH POC
7.5 Jan 16

A vulnerability was found in GnuTLS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no auth

CVE-2012-1663 HIGH POC
7.5 Mar 13

Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (app

CVE-2020-24659 HIGH POC
7.5 Sep 04

An issue was discovered in GnuTLS before 3.6.15. Rated high severity (CVSS 7.5), this vulnerability is remotely exploita

CVE-2019-3836 HIGH POC
7.5 Apr 01

It was discovered in gnutls before version 3.6.7 upstream that there is an uninitialized pointer access in gnutls versio

CVE-2019-3829 HIGH POC
7.5 Mar 27

A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-0361 HIGH POC
7.4 Feb 15

A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. Rated high severity (C

CVE-2012-1569 MEDIUM POC
5.0 Mar 26

The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other pr

CVE-2017-5334 CRITICAL
9.8 Mar 24

Double free vulnerability in the gnutls_x509_ext_import_proxy function in GnuTLS before 3.3.26 and 3.5.x before 3.5.8 al

CVE-2012-1573 MEDIUM POC
5.0 Mar 26

gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with

CVE-2017-5336 CRITICAL
9.8 Mar 24

Stack-based buffer overflow in the cdk_pk_get_keyid function in lib/opencdk/pubkey.c in GnuTLS before 3.3.26 and 3.5.x b

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed

Share

CVE-2026-42010 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy