What is the CVSS score of CVE-2026-25506?

CVE-2026-25506 has a CVSS 3.1 base score of 7.7 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Debian Linux CVE-2026-25506

Q: Which versions of Debian Linux are affected by CVE-2026-25506?

A HIGH severity vulnerability (CVE-2026-25506) in MUNGE authentication service versions 0.5 to 0.5.17 allows local attackers to extract cryptographic keys from memory, potentially compromising user…. A patch is available.

HIGH

Out-of-bounds Write (CWE-787)

2026-02-10 security-advisories@github.com

Buffer Overflow Red Hat Debian Linux Munge Suse

7.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:02 vuln.today

Patch released

Feb 25, 2026 - 17:39 nvd

Patch available

CVE Published

Feb 10, 2026 - 19:16 nvd

HIGH 7.7

DescriptionNVD

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

AnalysisAI

Buffer overflow in MUNGE authentication daemon (versions 0.5 to 0.5.17) allows local attackers to extract cryptographic key material from memory, enabling forgery of credentials to impersonate any user on systems relying on MUNGE for authentication. By sending a crafted message with an oversized address length field, an attacker can corrupt the daemon's internal state and retrieve the MAC subkey used for credential verification. …

RemediationAI

Within 24 hours: Inventory all systems running MUNGE versions 0.5-0.5.17 and assess which are internet-facing or handle sensitive authentication. Within 7 days: Apply the available vendor patch to all affected systems, prioritizing production authentication infrastructure and systems with high-privilege access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory