CVE Catalog

CVE-2026-42014

MediumCVSS 6.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.15%

5th percentile — higher than 5% of all known CVEs

Summary

A use-after-free vulnerability was found in the GnuTLS library in the `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN. The flaw occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

Risk Assessment

An attacker could exploit this vulnerability to execute arbitrary code in the context of the process using GnuTLS, potentially leading to confidentiality, integrity, or availability breaches.

Recommendation

Immediately update GnuTLS to a patched version. Until then, avoid using the `gnutls_pkcs11_token_set_pin` function with a NULL old PIN for tokens without a protected authentication path.

Original NVD description (English source)

A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS