PT-2026-60097 · Unknown · Nebula-Mesh

Published

2026-07-14

·

Updated

2026-07-15

·

CVE-2026-53604

CVSS v4.0

8.7

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions nebula-mesh (affected versions not specified)
Description The web handler renderMobileBundle passes a *pki.CAResolver to the mobilebundle.Build function, which decrypts the CA's ed25519 private key into a *pki.CAManager. However, the Build function fails to call CAManager.Wipe() on any return path, including success and error paths. This results in the plaintext CA private key remaining on the Go heap until garbage collection occurs. An attacker with the ability to read process memory, such as through core dumps, swap files, or memory-scraping, could recover the CA signing key and mint arbitrary host certificates for the mesh.
Recommendations Add defer caMgr.Wipe() inside the mobilebundle.Build function immediately after the LoadByID call to ensure the key is zeroized on all return paths.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53604
GHSA-2P2F-PX33-4VV5

Affected Products

Nebula-Mesh