Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-42010
7.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): LOW
- Availability impact (A): NONE
Activity log
- Created suggestion
Gnutls: gnutls: authentication bypass via nul character in username
A flaw was found in gnutls. Servers configured with RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) wrongfully matched usernames containing a NUL character with truncated usernames. A remote attacker could exploit this by sending a specially crafted username, leading to an authentication bypass. This vulnerability allows an attacker to gain unauthorized access by circumventing the authentication process.
References
Affected products
rhcos
gnutls
Matching in nixpkgs
pkgs.gnutls
GNU Transport Layer Security Library
pkgs.guile-gnutls
Guile bindings for GnuTLS library
pkgs.python312Packages.python3-gnutls
Python wrapper for the GnuTLS library
-
nixos-25.11 python3-gnutls-3.1.10
- nixos-25.11-small python3-gnutls-3.1.10
- nixpkgs-25.11-darwin python3-gnutls-3.1.10
pkgs.python313Packages.python3-gnutls
Python wrapper for the GnuTLS library
-
nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10
-
nixos-25.11 python3-gnutls-3.1.10
- nixos-25.11-small python3-gnutls-3.1.10
- nixpkgs-25.11-darwin python3-gnutls-3.1.10
pkgs.python314Packages.python3-gnutls
Python wrapper for the GnuTLS library
-
nixos-unstable python3-gnutls-3.1.10
- nixpkgs-unstable python3-gnutls-3.1.10
- nixos-unstable-small python3-gnutls-3.1.10
Package maintainers
-
@vcunat Vladimír Čunát <v@cunat.cz>
-
@charlieshanley Charlie Hanley <charlieshanley@gmail.com>