{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24904", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T19:35:20.530Z", "datePublished": "2026-01-29T21:19:53.261Z", "dateUpdated": "2026-01-29T21:34:31.465Z"}, "containers": {"cna": {"title": "TrustTunnel has `client_random_prefix` rule bypass via fragmented or partial TLS ClientHello", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "lang": "en", "description": "CWE-284: Improper Access Control", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87"}, {"name": "https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6", "tags": ["x_refsource_MISC"], "url": "https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6"}], "affected": [{"vendor": "TrustTunnel", "product": "TrustTunnel", "versions": [{"version": "< 0.9.115", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:19:53.261Z"}, "descriptions": [{"lang": "en", "value": "TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean \"block non-matching prefixes\" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115."}], "source": {"advisory": "GHSA-fqh7-r5gf-3r87", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T21:34:05.106512Z", "id": "CVE-2026-24904", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T21:34:31.465Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24904", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T21:34:05.106512Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T21:34:17.709Z"}}], "cna": {"title": "TrustTunnel has `client_random_prefix` rule bypass via fragmented or partial TLS ClientHello", "source": {"advisory": "GHSA-fqh7-r5gf-3r87", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "TrustTunnel", "product": "TrustTunnel", "versions": [{"status": "affected", "version": "< 0.9.115"}]}], "references": [{"url": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87", "name": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6", "name": "https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean \"block non-matching prefixes\" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-29T21:19:53.261Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24904", "state": "PUBLISHED", "dateUpdated": "2026-01-29T21:34:31.465Z", "dateReserved": "2026-01-27T19:35:20.530Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-29T21:19:53.261Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adguard:trusttunnel:*:*:*:*:*:*:*:*", "matchCriteriaId": "08F7E28C-244F-4FAE-9EDF-127191A1FED8", "versionEndExcluding": "0.9.115", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean \"block non-matching prefixes\" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115."}], "id": "CVE-2026-24904", "lastModified": "2026-02-20T20:58:09.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-29T22:15:55.047", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Patch"], "url": "https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:31:19.118823+00:00", "value": {"mitigation_remediation": ["Upgrade TrustTunnel to version 0.9.115 or later, which contains the fix for client_random extraction and rule evaluation.", "If an upgrade cannot be performed immediately, review and adjust rule configurations to avoid relying exclusively on client_random_prefix conditions, or temporarily disable rules that depend on this field until the patch is applied.", "Monitor VPN logs for anomalous TLS handshake failures and unexpected rule bypass incidents, and audit rule evaluation paths for compliance with intended security policies."], "summary": {"action": "Patch", "impact": "Bypass security rules"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the TrustTunnel VPN client and server software, specifically all released versions older than 0.9.115. The affected component is the TLS listener and rule engine code that processes client random prefixes.", "description_and_impact": "A flaw in TrustTunnel\u2019s TLS listener causes the extraction of the client_random field to fail when the TLS ClientHello is split across multiple packets. The rule engine evaluates the client_random_prefix condition only when a value is available; when extraction fails, the rule is skipped and evaluation continues to the next rules. This behavior permits an attacker to bypass rules that rely solely on client_random_prefix to enforce security decisions, potentially allowing unauthorized traffic into the VPN, and represents a missing access control weakness.", "risk_and_exploitability": "The CVSS score is 5.3, indicating medium severity. The EPSS score is less than 1%, suggesting low exploitation probability at the present time, and the vulnerability is not listed in the CISA KEV catalog. Attackers capable of sending a fragmented TLS handshake to a TrustTunnel listener can exploit the flaw over the network; no privileged access or additional conditions are required."}}}}, "created": "2026-01-30T08:42:34.228271+00:00", "updated": "2026-04-18T14:45:03.111267+00:00", "vendors": ["trusttunnel", "trusttunnel$PRODUCT$trusttunnel"]}