GNUTLS RSA-PSK Authentication Bypass Vulnerability (CVE-2026-42010)

CVE-2026-42010 describes an authentication bypass vulnerability affecting GNUTLS, a widely used TLS library. The flaw resides in the handling of RSA-PSK (Rivest–Shamir–Adleman – Pre-Shared Key) configurations. Specifically, servers configured with RSA-PSK incorrectly match usernames containing a NUL character with truncated usernames. This can be exploited remotely by an attacker who sends a specially crafted username that includes a NUL character. The vulnerability was published on 2026-05-07, and exploitation can lead to unauthorized access to affected systems. Defenders should prioritize patching vulnerable GNUTLS installations to prevent potential authentication bypass attacks.

Attack Chain

1. Attacker identifies a server utilizing GNUTLS configured with RSA-PSK authentication.
2. Attacker crafts a malicious username containing a NUL character (e.g., “user\x00name”).
3. Attacker initiates a TLS handshake with the vulnerable server, presenting the crafted username during the RSA-PSK authentication exchange.
4. The vulnerable GNUTLS server truncates the username at the NUL character (“user”) due to the flaw.
5. The server compares the truncated username with the expected username, potentially leading to a successful match if a user with the prefix exists.
6. The attacker successfully authenticates to the server without providing the correct credentials.
7. Attacker gains unauthorized access to resources and services protected by the vulnerable server.

Impact

Successful exploitation of CVE-2026-42010 allows an attacker to bypass authentication mechanisms, gaining unauthorized access to sensitive resources. The impact includes potential data breaches, service disruption, and privilege escalation within the affected systems. This vulnerability poses a significant risk to organizations relying on GNUTLS for secure communication, especially in environments where RSA-PSK is utilized. The CVSS v3.1 base score of 7.1 indicates a high level of severity, highlighting the urgency for remediation.

Recommendation

• Upgrade GNUTLS to a patched version that addresses CVE-2026-42010.
• Implement the Sigma rule “Detect GNUTLS RSA-PSK Authentication Bypass Attempt” to identify potential exploitation attempts.
• Review server configurations to minimize the use of RSA-PSK where possible, favoring stronger authentication mechanisms.
• Monitor authentication logs for suspicious usernames containing NUL characters to detect potential exploitation attempts.
• Enable verbose logging on GNUTLS servers to capture detailed authentication events for forensic analysis.