CVE-2026-4437

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://sourceware.org/bugzilla/show_bug.cgi?id=34014	Exploit Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*

History

07 Apr 2026, 18:41

Type	Values Removed	Values Added
Summary		(es) Llamar a gethostbyaddr o gethostbyaddr_r con un nsswitch.conf configurado que especifica el backend DNS de la biblioteca en la GNU C Library versión 2.34 a la versión 2.43 podría, con una respuesta manipulada del servidor DNS configurado, resultar en una violación de la especificación DNS que hace que la aplicación trate una sección que no es de respuesta de la respuesta DNS como una respuesta válida.
References	~~() https://sourceware.org/bugzilla/show_bug.cgi?id=34014 -~~	() https://sourceware.org/bugzilla/show_bug.cgi?id=34014 - Exploit, Issue Tracking, Patch
CPE		cpe:2.3:a:gnu:glibc::::::::
First Time		Gnu Gnu glibc

23 Mar 2026, 16:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

20 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-20 20:16

Updated : 2026-04-07 18:41

NVD link : CVE-2026-4437

Mitre link : CVE-2026-4437

CVE.ORG link : CVE-2026-4437

JSON object : View

Products Affected

gnu

glibc

CWE

CWE-125

Out-of-bounds Read

7.5 /10