CVE-2026-24904

Summary

TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In tls_listener.rs, TlsListener::listen() peeks 1024 bytes and calls extract_client_random(...). If parse_tls_plaintext fails (for example, a fragmented/partial ClientHello split across TCP writes), extract_client_random returns None. In rules.rs, RulesEngine::evaluate only evaluates client_random_prefix when client_random is Some(...). As a result, when extraction fails (client_random == None), any rule that relies on client_random_prefix matching is skipped and evaluation falls through to later rules. As an important semantics note: client_random_prefix is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with client_random_prefix = ... triggers its action only when the prefix matches (and the field is available to evaluate). Non-matches (or None) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115.

Affected Software

VendorProductVersion RangeStatus
TrustTunnelTrustTunnel< 0.9.115affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References