CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-42009

highcovered by 2 sourcesfirst seen 2026-07-06
It was discovered that GnuTLS had a timing side-channel when processing malformed ciphertexts in RSA-PSK ClientKeyExchange. A remote attacker could possibly use this issue to recover sensitive information. This issue only affected Ubuntu 18.04 LTS. (CVE-2024-0553) Bing Shi discovered that GnuTLS incorrectly handled decoding certain DER-encoded certificates. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2024-12243) Luigino Camastra discovered that GnuTLS incorrectly handled certain PKCS11 token labels. A remote attacker could use this issue to cause GnuTLS to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. (CVE-2025-9820) Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious certificates containing a large number of name constraints and subject alternative names. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2025-14831) Oleh Konko and Joshua Rogers discovered that GnuTLS did not properly handle case-insensitive name constraints in certain cases. A remote attacker could possibly use this issue to bypass certificate validation, leading to a machine-in-the-middle attack. (CVE-2026-3833) Joshua Rogers discovered that GnuTLS did not properly handle very short premaster secrets in certain RSA key exchange cases with PKCS#11-backed server keys. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2026-5260) Joshua Rogers discovered that GnuTLS did not properly handle malformed DTLS handshake fragments in certain cases. A remote attacker could possibly use this issue to ob

CSIRTS triage

What
Multiple vulnerabilities could lead to information disclosure, denial of service, or arbitrary code execution.
Who is affected
Users of GnuTLS on Ubuntu 18.04 LTS.
Urgency
Remediation is important due to the severity of the vulnerabilities.
Action
Apply the latest security updates for GnuTLS.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-42009

Get an email if CVE-2026-42009 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-42009

CVE.org record

Embed the live status

CVE-2026-42009 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-42009 status](https://www.csirts.com/badge/CVE-2026-42009)](https://www.csirts.com/cve/CVE-2026-42009)