CVE-2026-24904

Name of the Vulnerable Software and Affected Versions TrustTunnel versions prior to 0.9.115

Description TrustTunnel, an open-source VPN protocol, has a rule bypass issue. The issue resides in the interaction between tls listener.rs and rules.rs. Specifically, the TlsListener::listen() function peeks 1024 bytes and calls extract client random(...). If parsing of the TLS plaintext fails, extract client random returns None. The RulesEngine::evaluate function only evaluates client random prefix when client random is Some(...). Consequently, when extraction fails, rules relying on client random prefix are bypassed, and evaluation proceeds to subsequent rules. The client random prefix is a match condition and does not block non-matching prefixes.

Recommendations Update to TrustTunnel version 0.9.115 or later.