CVE-2026-24904 – TrustTunnel VPN protocol versions before 0.9.11... (How to Fix)

Q: What is the severity of CVE-2026-24904?

CVE-2026-24904 has a CVSS score of 5.3 (MEDIUM). TrustTunnel VPN protocol versions before 0.9.115 have a rule bypass vulnerability where fragmented or partial TLS ClientHello messages cause client random extraction to fail. When this happens, security rules that rely on client_random_prefix matching are skipped, potentially allowing unauthorized connections. This affects anyone using TrustTunnel with rule-based access controls.

📋 TL;DR

TrustTunnel VPN protocol versions before 0.9.115 have a rule bypass vulnerability where fragmented or partial TLS ClientHello messages cause client random extraction to fail. When this happens, security rules that rely on client_random_prefix matching are skipped, potentially allowing unauthorized connections. This affects anyone using TrustTunnel with rule-based access controls.

💻 Affected Systems

Products:

TrustTunnel

Versions: All versions prior to 0.9.115

Operating Systems: All platforms running TrustTunnel

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using rule-based access controls with client_random_prefix conditions.

📦 What is this software?

Trusttunnel by Adguard

View all CVEs affecting Trusttunnel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass authentication rules and gain unauthorized VPN access to protected networks, potentially leading to data exfiltration or lateral movement.

🟠

Likely Case

Inconsistent rule enforcement allowing some unauthorized connections through the VPN gateway when fragmented packets occur.

🟢

If Mitigated

Limited impact with proper network segmentation and additional authentication layers beyond TrustTunnel rules.

🌐 Internet-Facing: HIGH - VPN endpoints are typically internet-facing and directly exposed to potential attackers.

🏢 Internal Only: LOW - Internal-only deployments have reduced attack surface but could still be vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Requires ability to send fragmented TLS ClientHello packets to trigger the extraction failure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.115

Vendor Advisory: https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87

Restart Required: Yes

Instructions:

1. Stop TrustTunnel service. 2. Update to version 0.9.115 or later. 3. Restart TrustTunnel service. 4. Verify rules are functioning correctly.

🔧 Temporary Workarounds

Network filtering

all

Use network firewalls or IDS/IPS to detect and block fragmented TLS ClientHello packets.

Rule redundancy

all

Add redundant rules that don't rely on client_random_prefix to catch unauthorized connections.

🧯 If You Can't Patch

Implement network segmentation to limit potential damage from unauthorized VPN connections
Add additional authentication layers (MFA, certificate-based auth) beyond TrustTunnel rules

🔍 How to Verify

Check if Vulnerable:

Check TrustTunnel version: if version < 0.9.115 and using client_random_prefix rules, system is vulnerable.

Check Version:

trusttunnel --version

Verify Fix Applied:

After patching, test with fragmented ClientHello packets and verify rules are still enforced.

📡 Detection & Monitoring

Log Indicators:

Failed client_random extraction logs
Rule evaluation skipping due to None client_random
Unexpected successful connections bypassing rules

Network Indicators:

Fragmented TLS ClientHello packets to TrustTunnel port
Connection attempts that should be blocked by rules but succeed

SIEM Query:

source="trusttunnel" AND ("extract_client_random failed" OR "client_random is None" OR "rule skipped")

📊 Metadata

CVE ID: CVE-2026-24904

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.04% exploit probability (10.8th percentile)

Published: January 29, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6 Patch
https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87 Exploit,Vendor Advisory,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24904, you might also want to check these: