Skip to main content

MUNGE CVE-2026-25506

HIGH
Out-of-bounds Write (CWE-787)
2026-02-10 security-advisories@github.com
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Any local user can reach the munged socket (AV:L, PR:L, AC:L); key leak and credential forgery give C:H/I:H and daemon corruption gives A:H, scope unchanged at base.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
7.7 HIGH
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Red Hat
7.7 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jun 30, 2026 - 05:49 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:47 vuln.today
v4 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 05:46 vuln.today
Analysis Updated
Jun 30, 2026 - 05:46 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 05:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:23 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 03:23 NVD
7.7 (HIGH) 7.8 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
Patch released
Feb 25, 2026 - 17:39 nvd
Patch available
CVE Published
Feb 10, 2026 - 19:16 nvd
HIGH 7.7

DescriptionNVD

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

AnalysisAI

Cryptographic key disclosure and credential forgery in MUNGE 0.5 through 0.5.17 lets a local user extract munged's MAC subkey from process memory and forge arbitrary credentials. By sending a crafted message with an oversized address-length field, an attacker triggers an out-of-bounds write that corrupts munged's internal state and leaks the key used to validate credentials, enabling impersonation of any user including root across every service that trusts MUNGE for authentication. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but MUNGE's role as a cluster trust anchor makes the impact severe wherever it is deployed.

Technical ContextAI

MUNGE (MUNGE Uid 'N' Gid Emporium) is the standard authentication service for HPC clusters, most notably the credential layer for the Slurm workload manager; munged runs as a local daemon on a UNIX domain socket and issues/validates MAC-protected MUNGE credentials using a shared secret key. The root cause is CWE-787 (out-of-bounds write): in src/libcommon/m_msg.c the _msg_unpack() routine consumed an attacker-supplied address-length field (m->addr_len) without checking it against sizeof(m->addr), so an oversized value drove a write past the fixed addr buffer and corrupted adjacent daemon state. Because munged holds the MAC subkey in the same process memory used to verify credentials, the corruption can be steered to expose that key, collapsing the integrity of the credential scheme. The upstream fix (commit bf40cc27) adds the bounds check 'else if (m->addr_len > sizeof (m->addr)) goto err;' to reject oversized address lengths.

RemediationAI

Vendor-released patch: 0.5.18 - upgrade munge/munged to 0.5.18 or later, or install the fixed distribution package (Debian LTS per https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html; Red Hat per RHSA-2026:3033 and related errata at https://access.redhat.com/errata/RHSA-2026:3033), then restart munged so it reloads from clean memory. After patching, rotate the MUNGE key (/etc/munge/munge.key) across the cluster and restart all munged instances, since a pre-patch compromise may already have leaked the subkey and any forged credentials stay valid until the key changes - this requires coordinated, near-simultaneous key replacement on every node or authentication will break between mismatched hosts. Where immediate patching is impossible, narrow the local attack surface by restricting interactive/shell access on munged hosts to trusted administrators and limiting which accounts can reach the munged socket, accepting that this does not fix the bug and only reduces who can trigger it; the upstream commit bf40cc27c4ce8451d4b062c9de0b67ec40894812 documents the exact bounds check for teams backporting.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed

Share

CVE-2026-25506 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy