Vulnerabilities

CVE-2026-24904 - TrustTunnel has `client_random_prefix` rule bypass via fragmented or partial TLS...

2026-01-29 0 views admin

CVE ID : CVE-2026-24904 Published : Jan. 29, 2026, 9:19 p.m. | 40 minutes ago Description : TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean

CVE Details

CVE ID

CVE-2026-24904

Published

Jan. 29, 2026

🏷️ Tags

cvevulnerabilitysecuritycybersecuritycve-2026-24904

CVE-2026-24904 - TrustTunnel has `client_random_prefix` rule bypass via fragmented or partial TLS...

CVE Details

🏷️ Tags

More from Vulnerabilities

CVE-2024-36320 - ATIHdwt6.sys Integer Overflow Vulnerability

CVE-2025-48518 - AMD Graphics Driver Out-of-Bounds Write Vulnerability

CVE-2023-31324 - AMD Secure Processor ASP TOCTOU Race Condition

CVE-2023-20548 - AMD Secure Processor TOCTOU Race Condition Vulnerability

Trending

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

CVE-2025-43939: Dell Unity OS Command Injection (High)

Google disputes false claims of massive Gmail data breach

Microsoft: DNS outage impacts Azure and Microsoft 365 services

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting