CVE-2026-42010: Gnutls: gnutls: authentication bypass via nul character in username

Published May 6, 2026
·
Updated

A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

Affected Software

10 affected componentsFixes available
GnuTLS libgnutls
GNU GnuTLS
redhat Hardened Images
redhat OpenShift Container Platform=4.0
redhat Enterprise Linux=6.0
redhat Enterprise Linux=7.0
redhat Enterprise Linux=8.0
redhat Enterprise Linux=9.0
redhat Enterprise Linux=10.0
debian/gnutls28<=3.7.1-5+deb11u5, <=3.7.1-5+deb11u9, <=3.7.9-2+deb12u6, <=3.8.9-3+deb13u3
3.7.9-2+deb12u73.8.9-3+deb13u43.8.13-1

Event History

May 6, 2026
Data Sourced
via Red Hat·05:08 PM
DescriptionSeverityAffected Software
May 7, 2026
CVE Published
via MITRE·12:00 PM
Data Sourced
via MITRE·12:00 PM
DescriptionSeverity
Data Sourced
via NVD·12:16 PM
DescriptionSeverityWeaknessAffected Software
May 20, 2026
Data Sourced
via Debian·02:42 PM
DescriptionAffected Software
Data Sourced
via Launchpad·02:42 PM
Description
May 21, 2026
Data Sourced
via Ubuntu·02:42 PM
RemedyDescriptionSeverityAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-42010?

CVE-2026-42010 is classified as a medium severity vulnerability due to the potential for authentication bypass.

2

How do I fix CVE-2026-42010?

To fix CVE-2026-42010, update to the latest version of GnuTLS that addresses this vulnerability.

3

What types of systems are affected by CVE-2026-42010?

CVE-2026-42010 affects systems using GnuTLS with RSA-PSK authentication configured to accept usernames.

4

Is CVE-2026-42010 remotely exploitable?

Yes, CVE-2026-42010 can be remotely exploited by attackers sending specially crafted usernames containing NUL characters.

5

What impact does CVE-2026-42010 have on user authentication?

CVE-2026-42010 allows attackers to bypass authentication processes, potentially granting unauthorized access to systems.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203