Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <f35f110c-bf83-4715-83a5-f774ec317b68@redhat.com>
Date: Mon, 23 Mar 2026 13:49:46 -0400
From: Carlos O'Donell <carlos@...hat.com>
To: oss-security@...ts.openwall.com
Subject: The GNU C Library security advisories update for 2026-03-23

The following security advisories have been published:

GLIBC-SA-2026-0005
==================
gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf
that specifies the library's DNS backend in the GNU C Library version
2.34 to version 2.43 could, with a crafted response from the configured
DNS server, result in a violation of the DNS specification that causes
the application to treat a non-answer section of the DNS response as a
valid answer.

A defect in the getanswer_ptr function, which implements the iteration
and extraction of the answer from the DNS response, can cause it to
incorrectly transition from the answer section to the next section while
still treating it as an answer to the question.  This can happen when
the answer contains only skipped records, and the subsequent section
contains a semantically invalid T_PTR record.  This is considered a
security issue because it is a violation of the DNS specification that
leads to incorrect behaviour that could result in the wrong hostname
being returned to the caller.  At the time of publication, no known
affected DNS server returns results that would be incorrectly
interpreted by the library.  An attacker would either need to be network
adjacent or have compromised the DNS server to use this defect to hide
returned reverse DNS results from intrusion detection systems. Even
then, the inbound connection from the attacker, or the outbound
connection from the application, would be visible to the intrusion
detection system.  At best, the defect can be used to obfuscate and
delay analysis of the evolving threat.

CVE-Id: CVE-2026-4437
Public-Date: 2026-03-20
Vulnerable-Commit: 32e5db37684ffcbc6ae34fcc6cdcf28670506baa (2.34-323)
Vulnerable-Commit: def97e7f71a07517810f7263213d607e08ad21f1 (2.35-188)
Vulnerable-Commit: 77f523c473878ec0051582ef15161c6982879095 (2.36-30)
Vulnerable-Commit: e32547d661a43da63368e488b6cfa9c53b4dcf92 (2.37)
Reported-by: Antonio Maini (0rbitingZer0) - 0rbitingZer0@...ton.me
Reported-by: Kevin Farrell

GLIBC-SA-2026-0006
==================
gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf
that specifies the library's DNS backend in the GNU C library version
2.34 to version 2.43 could result in an invalid DNS hostname being
returned to the caller in violation of the DNS specification.

A defect in the getanswer_ptr function, which implements the iteration
and extraction of the answer from a DNS response, can cause it to accept
an invalid DNS hostname that can contain shell metacharacters. An
application that uses the returned hostname in a shell, without guarding
for shell expansion, may be subject to shell injection attacks.  At the
time of publication, no known affected DNS server returns results with
shell metacharacters in the results.  An attacker would either need to
be network adjacent or have compromised the DNS server to use this
defect for shell injection.  No known vulnerable application has been
identified.

CVE-Id: CVE-2026-4438
Public-Date: 2026-03-20
Vulnerable-Commit: 32e5db37684ffcbc6ae34fcc6cdcf28670506baa (2.34-323)
Vulnerable-Commit: def97e7f71a07517810f7263213d607e08ad21f1 (2.35-188)
Vulnerable-Commit: 77f523c473878ec0051582ef15161c6982879095 (2.36-30)
Vulnerable-Commit: e32547d661a43da63368e488b6cfa9c53b4dcf92 (2.37)
Reported-by: Antonio Maini (0rbitingZer0) - 0rbitingZer0@...ton.me

Notes:
======

Published advisories are available directly in the project git repository:
https://sourceware.org/git/?p=glibc.git;a=tree;f=advisories;hb=HEAD

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.