CVE-2026-42010
HIGHDescription
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
Is your site exposed to CVE-2026-42010?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| gnu | gnutls |
| redhat | hardened_images |
| redhat | openshift_container_platform |
| redhat | enterprise_linux |
| redhat | enterprise_linux |
| redhat | enterprise_linux |
| redhat | enterprise_linux |
| redhat | enterprise_linux |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2026-42010? +
How severe is CVE-2026-42010? +
What products are affected by CVE-2026-42010? +
How do I check if I'm vulnerable to CVE-2026-42010? +
Related Vulnerabilities
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC …
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode() function …
Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to …
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such …
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be …
An issue in GNU Savane v.3.12 and before allows a remote attacker to escalate privileges via the form_id in the …