From 3957f136e2ed23caf176a594b54b3827f5cef701 Mon Sep 17 00:00:00 2001 From: Alexander Sosedkin Date: Wed, 18 Mar 2026 18:19:06 +0100 Subject: pkcs11_write: fix UAF and leak in gnutls_pkcs11_token_set_pin Changing Security Officer PIN with gnutls_pkcs11_token_set_pin() with oldpin == NULL for a token that lacks a protected authentication path led to a use-after-free. Reported-by: Luigino Camastra and Joshua Rogers of AISLE Research Team Fixes: #1766 Fixes: #1809 Fixes: CVE-2026-42014 Fixes: GNUTLS-SA-2026-04-29-9 CVSS: 4.0 Medium CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Signed-off-by: Alexander Sosedkin --- lib/pkcs11_write.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) Index: gnutls-3.8.10/lib/pkcs11_write.c =================================================================== --- gnutls-3.8.10.orig/lib/pkcs11_write.c +++ gnutls-3.8.10/lib/pkcs11_write.c @@ -1266,10 +1266,9 @@ int gnutls_pkcs11_token_set_pin(const ch ses_flags = SESSION_WRITE | SESSION_LOGIN; ret = pkcs11_open_session(&sinfo, NULL, info, ses_flags); - p11_kit_uri_free(info); - if (ret < 0) { gnutls_assert(); + p11_kit_uri_free(info); return ret; } @@ -1290,9 +1289,11 @@ int gnutls_pkcs11_token_set_pin(const ch oldpin_size = L(oldpin); if (!(sinfo.tinfo.flags & CKF_PROTECTED_AUTHENTICATION_PATH)) { - if (newpin == NULL) - return gnutls_assert_val( + if (newpin == NULL) { + ret = gnutls_assert_val( GNUTLS_E_INVALID_REQUEST); + goto finish; + } if (oldpin == NULL) { struct pin_info_st pin_info; @@ -1324,6 +1325,7 @@ int gnutls_pkcs11_token_set_pin(const ch ret = 0; finish: + p11_kit_uri_free(info); pkcs11_close_session(&sinfo); return ret; }