Vulners
Lucene search
Linux Distros Unpatched Vulnerability : CVE-2026-42501
10
| Source | Link |
|---|---|
| security-tracker | www.security-tracker.debian.org/tracker/CVE-2026-42501 |
| ubuntu | www.ubuntu.com/security/CVE-2026-42501 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(313248);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/22");
script_cve_id("CVE-2026-42501");
script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-42501");
script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.
- A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass
checksum database validation. This vulnerability affects any user using an untrusted module proxy
(GOMODPROXY) or checksum database (GOSUMDB). A malicious module proxy can serve altered versions of the Go
toolchain. When selecting a different version of the Go toolchain than the currently installed toolchain
(due to the GOTOOLCHAIN environment variable, or a go.work or go.mod with a toolchain line), the go
command will download and execute a toolchain provided by the module proxy. A malicious module proxy can
bypass checksum database validation for this downloaded toolchain. Since this vulnerability affects the
security of toolchain downloads, setting GOTOOLCHAIN to a fixed version is not sufficient. You must
upgrade your base Go toolchain. The go tool always validates the hash of a toolchain before executing it,
so fixed versions will refuse to execute any cached, altered versions of the toolchain. The go tool trusts
go.sum files to contain accurate hashes of the current module's dependencies. A malicious proxy exploiting
this vulnerability to serve an altered module will have caused an incorrect hash to be recorded in the
go.sum. Users who have configured a non-trusted GOPROXY can determine if they have been affected by
running rm go.sum ; go mod tidy ; go mod verify, which will revalidate all dependencies of the current
module. The specific flaw in more detail: The go command consults the checksum database to validate
downloaded modules, when a module is not listed in the go.sum file. It verifies that the module hash
reported by the checksum database matches the hash of the downloaded module. If, however, the checksum
database returns a successful response that contains no entry for the module, the go command incorrectly
permitted validation to succeed. A module proxy may mirror or proxy the checksum database, in which case
the go command will not connect to the checksum database directly. Checksums reported by the checksum
database are cryptographically signed, so a malicious proxy cannot alter the reported checksum for a
module. However, a proxy which returns an empty checksum response, or a checksum response for an unrelated
module, could cause the go command to proceed as if a downloaded module has been validated.
(CVE-2026-42501)
Note that Nessus relies on the presence of the package as reported by the vendor.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-42501");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-42501");
script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:C/I:P/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42501");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.13");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.14");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.17");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.18");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.20");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.21");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.22");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.23");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.24");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.25");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.6");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:golang-1.9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.15");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.19");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-1.24");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Ubuntu Linux-14.04", "Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10");
exit(0);
}
if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);
include('linux_unpatched.inc');
var distro_constraints_array = {
"Debian Linux-11": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "11",
"pkgs": [
{"reference": "golang-1.15"},
{"reference": "golang-1.15-doc"},
{"reference": "golang-1.15-go"},
{"reference": "golang-1.15-src"}
]
}
]
},
"Debian Linux-12": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "12",
"pkgs": [
{"reference": "golang-1.19"},
{"reference": "golang-1.19-doc"},
{"reference": "golang-1.19-go"},
{"reference": "golang-1.19-src"}
]
}
]
},
"Debian Linux-13": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "13",
"pkgs": [
{"reference": "golang-1.24"},
{"reference": "golang-1.24-doc"},
{"reference": "golang-1.24-go"},
{"reference": "golang-1.24-src"}
]
}
]
},
"Ubuntu Linux-14.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "14.04",
"pkgs": [
{"reference": "golang-1.10"}
]
}
]
},
"Ubuntu Linux-16.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "16.04",
"pkgs": [
{"reference": "golang-1.10"},
{"reference": "golang-1.13"},
{"reference": "golang-1.18"},
{"reference": "golang-1.6"},
{"reference": "golang-1.6-doc"},
{"reference": "golang-1.6-go"},
{"reference": "golang-1.6-src"}
]
}
]
},
"Ubuntu Linux-18.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "18.04",
"pkgs": [
{"reference": "golang-1.10"},
{"reference": "golang-1.10-doc"},
{"reference": "golang-1.10-go"},
{"reference": "golang-1.10-src"},
{"reference": "golang-1.13"},
{"reference": "golang-1.16"},
{"reference": "golang-1.18"},
{"reference": "golang-1.8"},
{"reference": "golang-1.9"}
]
}
]
},
"Ubuntu Linux-20.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "20.04",
"pkgs": [
{"reference": "golang-1.13"},
{"reference": "golang-1.13-doc"},
{"reference": "golang-1.13-go"},
{"reference": "golang-1.13-src"},
{"reference": "golang-1.14"},
{"reference": "golang-1.14-doc"},
{"reference": "golang-1.14-go"},
{"reference": "golang-1.14-src"},
{"reference": "golang-1.16"},
{"reference": "golang-1.18"},
{"reference": "golang-1.20"},
{"reference": "golang-1.21"},
{"reference": "golang-1.22"}
]
}
]
},
"Ubuntu Linux-22.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "22.04",
"pkgs": [
{"reference": "golang-1.13"},
{"reference": "golang-1.17"},
{"reference": "golang-1.17-doc"},
{"reference": "golang-1.17-go"},
{"reference": "golang-1.17-src"},
{"reference": "golang-1.18"},
{"reference": "golang-1.18-doc"},
{"reference": "golang-1.18-go"},
{"reference": "golang-1.18-src"},
{"reference": "golang-1.20"},
{"reference": "golang-1.21"},
{"reference": "golang-1.22"},
{"reference": "golang-1.23"},
{"reference": "golang-1.24"}
]
}
]
},
"Ubuntu Linux-24.04": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "24.04",
"pkgs": [
{"reference": "golang-1.21"},
{"reference": "golang-1.22"},
{"reference": "golang-1.22-doc"},
{"reference": "golang-1.22-go"},
{"reference": "golang-1.22-src"},
{"reference": "golang-1.23"},
{"reference": "golang-1.24"}
]
}
]
},
"Ubuntu Linux-25.10": {
"package_manager": "dpkg-l",
"constraints": [
{
"release": "25.10",
"pkgs": [
{"reference": "golang-1.23"},
{"reference": "golang-1.24"},
{"reference": "golang-1.24-doc"},
{"reference": "golang-1.24-go"},
{"reference": "golang-1.24-src"},
{"reference": "golang-1.25"}
]
}
]
}
};
var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);
if (!empty_or_null(report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : report
);
exit(0);
}
else
{
audit(AUDIT_HOST_NOT, 'affected');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 May 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.17.5
EPSS0.00008
SSVC