PatchSiren cyber security CVE debrief
CVE-2026-42014 Red Hat CVE debrief
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.
- Vendor
- Red Hat
- Product
- Red Hat Enterprise Linux 10
- CVSS
- MEDIUM 6.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of GnuTLS, particularly those in industries relying on secure cryptographic operations, should be aware of this vulnerability. This includes but is not limited to Linux distributions, as GnuTLS is widely used in various applications and systems.
Technical summary
The vulnerability is caused by the `gnutls_pkcs11_token_set_pin` function not properly handling the change of the Security Officer PIN when the old PIN is NULL and the token lacks a protected authentication path. This leads to a use-after-free vulnerability, which could potentially allow an attacker to execute arbitrary code or cause a denial of service.
Defensive priority
Medium
Recommended defensive actions
- Apply patches or updates provided by the GnuTLS maintainers or relevant Linux distributions as soon as possible.
- Review and update cryptographic operations to ensure secure authentication paths are used.
- Consider implementing additional security measures, such as monitoring for suspicious activity related to PIN changes.
Evidence notes
The CVE-2026-42014 record was sourced from the National Vulnerability Database (NVD) and CVE.org. Additional information was gathered from Red Hat's security advisories and GnuTLS's official security announcements.
Official resources
CVE-2026-42014 was published on 2026-06-16T02:16:19.140Z and has not been modified since its publication.