CVE-2026-4437 | THREATINT

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

PUBLISHED Reserved 2026-03-19 | Published 2026-03-20 | Updated 2026-03-23 | Assigner glibc

Problem types

CWE-125 Out-of-bounds read

Product status

Default status

unaffected

2.34 (custom)

affected

Credits

Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me finder

Kevin Farrell reporter

References

sourceware.org/bugzilla/show_bug.cgi?id=34014

cve.org (CVE-2026-4437)

nvd.nist.gov (CVE-2026-4437)

Download JSON