CVE-2026-42014
MediumCVSS 6.6Exploitation Probability (EPSS)
Low risk5th percentile — higher than 5% of all known CVEs
Summary
A use-after-free vulnerability was found in the GnuTLS library in the `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN. The flaw occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.
Risk Assessment
An attacker could exploit this vulnerability to execute arbitrary code in the context of the process using GnuTLS, potentially leading to confidentiality, integrity, or availability breaches.
Recommendation
Immediately update GnuTLS to a patched version. Until then, avoid using the `gnutls_pkcs11_token_set_pin` function with a NULL old PIN for tokens without a protected authentication path.
Original NVD description (English source)
A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path.

