PT-2026-60097 · Unknown · Nebula-Mesh
Published
2026-07-14
·
Updated
2026-07-15
·
CVE-2026-53604
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
nebula-mesh (affected versions not specified)
Description
The web handler
renderMobileBundle passes a *pki.CAResolver to the mobilebundle.Build function, which decrypts the CA's ed25519 private key into a *pki.CAManager. However, the Build function fails to call CAManager.Wipe() on any return path, including success and error paths. This results in the plaintext CA private key remaining on the Go heap until garbage collection occurs. An attacker with the ability to read process memory, such as through core dumps, swap files, or memory-scraping, could recover the CA signing key and mint arbitrary host certificates for the mesh.Recommendations
Add
defer caMgr.Wipe() inside the mobilebundle.Build function immediately after the LoadByID call to ensure the key is zeroized on all return paths.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nebula-Mesh