GHSA-RC6V-5RMX-W5MV: Multi-Vector Cryptographic and State Machine Vulnerabilities in Arnika
Vulnerability ID: GHSA-RC6V-5RMX-W5MV
CVSS Score: 6.5
Published: 2026-05-15
Arnika versions prior to v1.0.1 contain multiple medium-severity vulnerabilities affecting the UDP key-rotation protocol, Post-Quantum Cryptography (PQC) key file handling, and Key Management System (KMS) TLS configuration. These flaws permit UDP replay attacks causing denial of service, silent security downgrades via empty PQC files, and Man-in-the-Middle (MITM) attacks against the KMS.
TL;DR
Arnika < v1.0.1 suffers from UDP replay vulnerabilities, insecure PQC key file handling leading to silent cryptographic downgrades, and disabled TLS verification. These issues are resolved in version 1.0.1.
Technical Details
- CWE ID: CWE-295, CWE-294, CWE-732
- Attack Vector: Network / Local
- CVSS Score: 6.5
- Impact: Denial of Service, Security Downgrade, MITM Key Interception
- Exploit Status: None
- Fixed Version: v1.0.1
Affected Systems
- arnika
- Wireguard VPN Extension
-
arnika: < 1.0.1 (Fixed in:
v1.0.1)
Code Analysis
Commit: efbd980
Fix UDP rotation, implement strict PQC validation, and enable TLS verification
Mitigation Strategies
- Upgrade to arnika v1.0.1
- Ensure PQC key files have strict file permissions (0600)
- Enforce network segmentation for KMS communication
Remediation Steps:
- Update the arnika deployment to version 1.0.1
- Audit the filesystem permissions on all PQC Pre-Shared Key files
- Restart the arnika service to apply configuration and binary changes
- Verify the TLS configuration to the Key Management System enforces certificate validation
References
- GitHub Advisory: GHSA-RC6V-5RMX-W5MV
- Arnika Repository
- Fix Commit: efbd980d8b636cb59f60f2d6ece1b80a9cf36535
- Release v1.0.1
Read the full report for GHSA-RC6V-5RMX-W5MV on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)