Skip to main content

Glibc EUVDEUVD-2026-13796

| CVE-2026-4437 HIGH
Out-of-bounds Read (CWE-125)
2026-03-20 glibc
7.5
CVSS 3.1 · Vendor: glibc
Share

Severity by source

Vendor (glibc) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (glibc).

CVSS VectorVendor: glibc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 20:15 euvd
EUVD-2026-13796
Analysis Generated
Mar 20, 2026 - 20:15 vuln.today
CVE Published
Mar 20, 2026 - 19:59 nvd
HIGH 7.5

DescriptionCVE.org

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

AnalysisAI

A DNS response parsing vulnerability exists in the GNU C Library (glibc) versions 2.34 through 2.43 affecting the gethostbyaddr and gethostbyaddr_r functions. When a malicious or compromised DNS server returns a crafted response that violates the DNS specification, the library may incorrectly treat non-answer sections (such as authority or additional sections) as valid answers, leading to buffer overflow and information disclosure. The vulnerability is classified as a read buffer over-read (CWE-125) and does not currently have a published CVSS score, EPSS metric, or confirmed KEV status, though the underlying mechanism suggests moderate real-world risk in environments with untrusted or attacker-controlled DNS infrastructure.

Technical ContextAI

The vulnerability resides in glibc's DNS resolver implementation, specifically in how the gethostbyaddr and gethostbyaddr_r functions (which perform reverse DNS lookups) parse DNS protocol responses when the nsswitch.conf configuration specifies the DNS backend. The DNS protocol defines structured response sections: question, answer, authority, and additional sections. The bug allows a malformed DNS response to cause the parser to misinterpret section boundaries, treating data from non-answer sections as valid answer data. This is fundamentally a CWE-125 (Out-of-bounds Read) vulnerability where insufficient bounds checking during DNS packet parsing allows the reading of memory beyond intended buffer limits. The affected CPE is cpe:2.3:a:the_gnu_c_library:glibc:*:*:*:*:*:*:*:* for all versions from 2.34 to 2.43 inclusive. This affects any system-level application or library that relies on glibc's name resolution, making it a foundational supply-chain risk.

RemediationAI

Apply the security patch provided by the GNU C Library project by upgrading glibc to version 2.44 or later (when released) or to a patched version of 2.43 or earlier provided by your Linux distribution. Contact your OS vendor (Debian, Ubuntu, Red Hat, etc.) for distribution-specific patches and security advisories. Until patching is possible, implement network-level mitigation by restricting DNS queries to trusted, authenticated DNS servers (e.g., your organization's internal DNS or well-maintained public resolvers like Cloudflare or Quad9), disabling unnecessary reverse DNS lookups in applications via configuration, and monitoring DNS traffic for anomalous responses. For systems with critical workloads, consider running DNS queries through a validating DNSSEC resolver which may reject malformed responses before they reach glibc.

More in Glibc

View all
CVE-2015-0235 CRITICAL POC
10.0 Jan 28

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,

CVE-2015-7547 HIGH POC
8.1 Feb 18

Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C

CVE-2023-6246 HIGH POC
8.4 Jan 31

Local privilege escalation in GNU glibc 2.36 and newer arises from a heap-based buffer overflow in __vsyslog_internal, r

CVE-2014-5119 HIGH POC
7.5 Aug 29

Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-depe

CVE-2012-4412 HIGH POC
7.5 Oct 09

Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-depende

CVE-2018-1000001 HIGH POC
7.8 Jan 31

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before th

CVE-2023-25139 CRITICAL POC
9.8 Feb 03

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct

CVE-2021-33574 CRITICAL POC
9.8 May 25

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. Rated critical seve

CVE-2019-1010022 CRITICAL POC
9.8 Jul 15

GNU Libc current is affected by: Mitigation bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2019-9169 CRITICAL POC
9.8 Feb 26

In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer ove

CVE-2017-1000366 HIGH POC
7.8 Jun 19

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causin

CVE-2014-9402 HIGH POC
7.8 Feb 24

The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Se

Vendor StatusVendor

Debian

glibc
Release Status Fixed Version Urgency
bullseye vulnerable 2.31-13+deb11u11 -
bullseye (security) vulnerable 2.31-13+deb11u13 -
bookworm vulnerable 2.36-9+deb12u13 -
bookworm (security) vulnerable 2.36-9+deb12u7 -
trixie vulnerable 2.41-12+deb13u2 -
forky, sid vulnerable 2.42-13 -
(unstable) fixed (unfixed) -

SUSE

Severity: High
Product Status
Container rancher/elemental-channel/sl-micro:6.0-baremetal Container rancher/elemental-channel/sl-micro:6.0-base Container rancher/elemental-channel/sl-micro:6.0-kvm Container rancher/elemental-channel/sl-micro:6.0-rt Container suse/sl-micro/6.0/baremetal-iso-image:2.1.4-6.152 Container suse/sl-micro/6.0/base-iso-image:2.1.4-5.152 Container suse/sl-micro/6.0/kvm-iso-image:2.1.4-6.159 Container suse/sl-micro/6.0/rt-iso-image:2.1.4-6.151 Container suse/sl-micro/6.1/baremetal-iso-image:2.2.1-5.97 Container suse/sl-micro/6.1/base-iso-image:2.2.1-5.114 Container suse/sl-micro/6.1/kvm-iso-image:2.2.1-5.127 Container suse/sl-micro/6.1/rt-iso-image:2.2.1-5.101 Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.158 Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-EC2 Affected
Container suse/sl-micro/6.0/base-os-container:2.1.3-7.125 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-6.142 Container suse/sl-micro/6.0/rt-os-container:2.1.3-7.156 Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.88 Container suse/sl-micro/6.1/base-os-container:2.2.1-5.112 Container suse/sl-micro/6.1/kvm-os-container:2.2.1-5.114 Container suse/sl-micro/6.1/rt-os-container:2.2.1-5.102 Image SL-Micro Image SL-Micro-Base Image SL-Micro-Base-RT Image SL-Micro-Base-RT-SelfInstall Image SL-Micro-Base-RT-encrypted Image SL-Micro-Base-SelfInstall Image SL-Micro-Base-encrypted Image SL-Micro-Base-qcow Image SL-Micro-Default Image SL-Micro-Default-SelfInstall Image SL-Micro-Default-encrypted Image SL-Micro-Default-qcow Image SLE-Micro-BYOS-GCE Image SLE-Micro-GCE Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.93 Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

EUVD-2026-13796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy