CVE-2026-24904
Unknown Unknown - Not Provided
Rule Bypass Vulnerability in TrustTunnel VPN Before

Publication date: 2026-01-29

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(...)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean "block non-matching prefixes" by itself. A rule with `client_random_prefix = ...` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-01-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24904
EUVD
EUVD-2026-4949
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adguard trusttunnel to 0.9.115 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in TrustTunnel, an open-source VPN protocol, occurs in versions prior to 0.9.115 due to a rule bypass issue. When the function that extracts the client random value from TLS traffic fails (for example, if the ClientHello message is fragmented across TCP writes), the extraction returns None. Because the rules engine only evaluates rules based on the client_random_prefix when the client_random is present, any rules relying on this prefix are skipped if extraction fails. This causes the evaluation to fall through to later rules, potentially bypassing intended restrictions. The issue is fixed in version 0.9.115.

Impact Analysis

This vulnerability can allow certain VPN traffic to bypass rules that rely on the client_random_prefix for matching. As a result, intended restrictions or controls based on these rules may be bypassed, potentially allowing unauthorized or unintended traffic through the VPN. This could reduce the effectiveness of security policies enforced by TrustTunnel.

Mitigation Strategies

Upgrade TrustTunnel to version 0.9.115 or later, as this version contains the fix for the rule bypass issue described.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24904. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart