Linux Distros Unpatched Vulnerability : CVE-2026-42769

🗓️ 10 Jun 2026 00:00:00Reported by TenableType

Unpatched Linux CMP flaw allows root CA replacement via id-it-rootCaKeyUpdate due to a chain bug.

Reporter	Title	Published	Views	Family All 28
FreeBSD	OpenSSL -- Multiple vulnerabilities	9 Jun 202600:00	–	freebsd
FreeBSD	FreeBSD -- Multiple vulnerabilities in OpenSSL	9 Jun 202600:00	–	freebsd
AlpineLinux	CVE-2026-42769	9 Jun 202616:03	–	alpinelinux
CVE	CVE-2026-42769	9 Jun 202616:03	–	cve
Cvelist	CVE-2026-42769 Trust-Anchor Substitution via cert/issuer Typo in CMP rootCaKeyUpdate	9 Jun 202616:03	–	cvelist
Debian	[SECURITY] [DSA 6335-1] openssl security update	9 Jun 202621:45	–	debian
Debian CVE	CVE-2026-42769	9 Jun 202616:03	–	debiancve
Tenable Nessus	Debian dsa-6335 : libcrypto3-udeb - security update	10 Jun 202600:00	–	nessus
Tenable Nessus	OpenSSL 3.4.0 < 3.4.6 Multiple Vulnerabilities	9 Jun 202600:00	–	nessus
Tenable Nessus	OpenSSL 3.5.0 < 3.5.7 Multiple Vulnerabilities	9 Jun 202600:00	–	nessus

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2026-42769
ubuntu	www.ubuntu.com/security/CVE-2026-42769
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(320330);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/10");

  script_cve_id("CVE-2026-42769");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-42769");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Issue Summary: An error in the callback used to verify the certificate provided in a Root CA key update
    Certificate Management Protocol (CMP) message response rendered the certificate validation ineffectual,
    which could lead to escalation of credentials from the Registration Authority (RA) level to the root
    Certification Authority (root CA) level. Impact Summary: The Registration Autority could replace the root
    CA certificate for the CMP clients with an arbitrary root CA certificate. One of the parts of the
    Certificate Management Protocol (CMP), specified in RFC 9810, is Root Certification Authority (root CA)
    key Rollover, which is sent by the server in a message with type 'id-it-rootCaKeyUpdate'. As part of these
    messages, 'newWithOld' certificate, the new root CA certificate signed with the old root CA key, is
    provided, and verifying its signature is crucial for transferring the trust from the old CA key to the new
    one. The 'id-it-rootCaKeyUpdate' messages are expected to be processed with
    OSSL_CMP_get1_rootCaKeyUpdate(), that is expected to verify the 'newWithOld' certificate. A typo in the
    certificate chain building code led to adding an incorrect certificate ('newWithOld' instead of 'oldRoot')
    to the certificate chain, rendering the certificate verification process ineffectual (only the issuer name
    and the algorithm OIDs were verified by other parts of the verification code). An attacker who already has
    credentials that satisfy the CMP message protection checks can generate a new key pair and use a crafted
    self-signed certificate in its 'id-it-rootCaKeyUpdate' CMP messages which affected CMP clients would
    accept as a new trust anchor. Significant preconditions for the attack (having valid RA-level credentials)
    are the reason the issue was assigned Low severity. The FIPS modules are not affected by this issue, as
    the affected code is outside the OpenSSL FIPS module boundary. (CVE-2026-42769)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2026-42769");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-42769");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-42769");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/06/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:26.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:14.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:edk2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openssl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-14", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-25.10", "Host/OS/Ubuntu Linux-26.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-14": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "14",
        "pkgs": [
          {"reference": "libcrypto3-udeb"},
          {"reference": "libssl-dev"},
          {"reference": "libssl-doc"},
          {"reference": "libssl3-udeb"},
          {"reference": "libssl3t64"},
          {"reference": "openssl"},
          {"reference": "openssl-provider-fips"},
          {"reference": "openssl-provider-legacy"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "nodejs"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "efi-shell-aa64"},
          {"reference": "efi-shell-arm"},
          {"reference": "efi-shell-ia32"},
          {"reference": "efi-shell-loongarch64"},
          {"reference": "efi-shell-riscv64"},
          {"reference": "efi-shell-x64"},
          {"reference": "ovmf"},
          {"reference": "ovmf-ia32"},
          {"reference": "ovmf-inteltdx"},
          {"reference": "qemu-efi-aarch64"},
          {"reference": "qemu-efi-arm"},
          {"reference": "qemu-efi-loongarch64"},
          {"reference": "qemu-efi-riscv64"}
        ]
      }
    ]
  },
  "Ubuntu Linux-26.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "26.04",
        "pkgs": [
          {"reference": "efi-shell-aa64"},
          {"reference": "efi-shell-loongarch64"},
          {"reference": "efi-shell-riscv64"},
          {"reference": "efi-shell-x64"},
          {"reference": "ovmf"},
          {"reference": "ovmf-amdsev"},
          {"reference": "ovmf-generic"},
          {"reference": "ovmf-inteltdx"},
          {"reference": "ovmf-legacy"},
          {"reference": "qemu-efi-aarch64"},
          {"reference": "qemu-efi-loongarch64"},
          {"reference": "qemu-efi-riscv64"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

10 Jun 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.15.3

EPSS0.00009

SSVC