GNUTLS RSA-PSK Username NUL Bypass Auth
CVE-2026-42010 Published on May 7, 2026

Gnutls: gnutls: authentication bypass via nul character in username
A flaw was found in gnutls. Servers configured with RSA-PSK (RivestShamirAdleman Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.

NVD

Vulnerability Analysis

CVE-2026-42010 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
LOW
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.


Products Associated with CVE-2026-42010

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)
 
Red Hat Hummingbird
 
Red Hat Openshift
 

Affected Versions

Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Hardened Images: Red Hat OpenShift Container Platform 4: