MUNGE
CVE-2026-25506
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Any local user can reach the munged socket (AV:L, PR:L, AC:L); key leak and credential forgery give C:H/I:H and daemon corruption gives A:H, scope unchanged at base.
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionNVD
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
AnalysisAI
Cryptographic key disclosure and credential forgery in MUNGE 0.5 through 0.5.17 lets a local user extract munged's MAC subkey from process memory and forge arbitrary credentials. By sending a crafted message with an oversized address-length field, an attacker triggers an out-of-bounds write that corrupts munged's internal state and leaks the key used to validate credentials, enabling impersonation of any user including root across every service that trusts MUNGE for authentication. EPSS is very low (0.02%) and there is no public exploit identified at time of analysis, but MUNGE's role as a cluster trust anchor makes the impact severe wherever it is deployed.
Technical ContextAI
MUNGE (MUNGE Uid 'N' Gid Emporium) is the standard authentication service for HPC clusters, most notably the credential layer for the Slurm workload manager; munged runs as a local daemon on a UNIX domain socket and issues/validates MAC-protected MUNGE credentials using a shared secret key. The root cause is CWE-787 (out-of-bounds write): in src/libcommon/m_msg.c the _msg_unpack() routine consumed an attacker-supplied address-length field (m->addr_len) without checking it against sizeof(m->addr), so an oversized value drove a write past the fixed addr buffer and corrupted adjacent daemon state. Because munged holds the MAC subkey in the same process memory used to verify credentials, the corruption can be steered to expose that key, collapsing the integrity of the credential scheme. The upstream fix (commit bf40cc27) adds the bounds check 'else if (m->addr_len > sizeof (m->addr)) goto err;' to reject oversized address lengths.
RemediationAI
Vendor-released patch: 0.5.18 - upgrade munge/munged to 0.5.18 or later, or install the fixed distribution package (Debian LTS per https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html; Red Hat per RHSA-2026:3033 and related errata at https://access.redhat.com/errata/RHSA-2026:3033), then restart munged so it reloads from clean memory. After patching, rotate the MUNGE key (/etc/munge/munge.key) across the cluster and restart all munged instances, since a pre-patch compromise may already have leaked the subkey and any forged credentials stay valid until the key changes - this requires coordinated, near-simultaneous key replacement on every node or authentication will break between mismatched hosts. Where immediate patching is impossible, narrow the local attack surface by restricting interactive/shell access on munged hosts to trusted administrators and limiting which accounts can reach the munged socket, accepting that this does not fix the bug and only reduces who can trigger it; the upstream commit bf40cc27c4ce8451d4b062c9de0b67ec40894812 documents the exact bounds check for teams backporting.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production | Affected |
| Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production | Affected |
| SUSE Liberty Linux 8 | Fixed |
| SUSE Liberty Linux 9 | Fixed |
| SUSE Linux Enterprise High Performance Computing 12 SP2 SUSE Linux Enterprise High Performance Computing 12 SP3 SUSE Linux Enterprise High Performance Computing 12 SP4 SUSE Linux Enterprise High Performance Computing 12 SP5 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP3 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for HPC 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for HPC 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 12 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for HPC 12 | Fixed |
| SUSE Linux Enterprise Module for HPC 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for HPC 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for HPC 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 12 SP2 | Fixed |
| SUSE Linux Enterprise High Performance Computing 12 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 12 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today