Use-After-Free Vulnerability in GnuTLS's Security Officer PIN Functionality
CVE-2026-42014

6.6MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 10; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Enterprise Linux 6
Vendor: CVE Published:; 16 June 2026

🔔 Create Red Hat Vulnerability Alert

What is CVE-2026-42014?

A use-after-free vulnerability exists in GnuTLS within the gnutls_pkcs11_token_set_pin function. This flaw arises when an attacker attempts to set a new PIN with a NULL old PIN, specifically on a token that does not have a protected authentication path. Such exploitation can compromise the security of sensitive operations, allowing unauthorized access or manipulation of the token.

Affected Version(s)

Red Hat Enterprise Linux 10 0:3.8.10-4.el10_2

Red Hat Enterprise Linux 8 0:3.6.16-8.el8_10.6

Red Hat Enterprise Linux 8 0:3.6.16-8.el8_10.6

References

https://access.redhat.com/errata/RHSA-2026:20611

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2026:20612

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2026:20613

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

6.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
Apr 23, 2026

Credit

Red Hat would like to thank Joshua Rogers (AISLE Research Team) and Luigino Camastra for reporting this issue.

CVE-2026-42014 Data

.