The vulnerability CVE-2026-42014 involves a use-after-free condition in the gnutls_pkcs11_token_set_pin function of the GnuTLS library. This function, responsible for changing the Security Officer PIN, can be exploited when an attacker attempts to change the PIN with a NULL old PIN on tokens without a protected authentication path. This flaw can lead to memory corruption and potential denial of service or other impacts. Red Hat has released security advisories (RHSA-2026:20611 and RHSA-2026:20612) addressing multiple GnuTLS vulnerabilities, including CVE-2026-42014, with updates available for Red Hat Enterprise Linux 8 and 9. The advisories emphasize applying these updates to mitigate the vulnerabilities. The advisories do not explicitly list affected versions for Red Hat Enterprise Linux 10, and no cloud service is involved.

The vulnerability can lead to a use-after-free condition causing potential denial of service or other memory corruption impacts. The CVSS 3.1 base score is 6.6, indicating a medium severity with local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, low confidentiality and integrity impact, and high availability impact. There are no known exploits in the wild reported at this time.

Red Hat has released security updates for the GnuTLS library that address CVE-2026-42014 along with other related vulnerabilities. Users should apply the relevant GnuTLS package updates provided in the Red Hat advisories RHSA-2026:20611 (for RHEL 8) and RHSA-2026:20612 (for RHEL 9). Before applying these updates, ensure all previously released errata relevant to your system have been applied. For Red Hat Enterprise Linux 10, check the vendor advisory for updates and patch availability. Patch status for RHEL 10 is not explicitly confirmed in the provided advisory content; users should monitor Red Hat's official channels for updates. No additional mitigations beyond applying the official patches are indicated.