Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <cca74bf2-74b1-4a83-82e9-8446edc05bf7@redhat.com>
Date: Mon, 20 Apr 2026 16:35:58 -0400
From: Carlos O'Donell <carlos@...hat.com>
To: oss-security@...ts.openwall.com
Subject: The GNU C Library security advisories update for 2026-04-20

The following security advisories have been published:

GLIBC-SA-2026-0008:
===================
Static buffer overflow in deprecated nis_local_principal

The obsolete nis_local_principal function in the GNU C Library version
2.43 and older may overflow a buffer in the data section, which could
allow an attacker to spoof a crafted response to a UDP request generated
by this function and overwrite neighboring static data in the requesting
application.

NIS support is obsolete and has been deprecated in the GNU C Library
since version 2.26 and is only maintained for legacy usage. Applications
should port away from NIS to more modern identity and access management
services.

CVE-Id: CVE-2026-5358
Public-Date: 2026-04-10
Reported-by: Rahul Hoysala

GLIBC-SA-2026-0009:
===================
scanf %mc off-by-one heap buffer overflow

Calling the scanf family of functions with a %mc (malloc'd character
match) in the GNU C Library version 2.7 to version 2.43 with a format
width specifier with an explicit width greater than 1024 could result in
a one byte heap buffer overflow.

The bug is in the buffer growth formula in __vfscanf_internal, which
under-allocates by one byte during realloc expansion, allowing a
controlled single-byte overwrite past the end of the heap buffer.

The impact is limited by the fact that to execute the overwrite you need
both user controlled input data and a specific choice of maximum width
that yields a smaller than needed allocation. The latter point has to
take into account malloc's particular chunk size rounding process.  The
"%[width]mc" format specififer does not appear to have notable use in
major Linux-based OS distributions, due to which the real world impact
may be limited to bespoke use cases.

CVE-Id: CVE-2026-5450
Public-Date: 2026-03-19
Vulnerable-Commit: 874aa52349cc111d1f6ea5dff24bb14c306714e0 (2.7)
Reported-by: Rocket Ma

GLIBC-SA-2026-0010:
===================
Potential buffer under-read in ungetwc

Calling the ungetwc function on a FILE stream with wide characters
encoded in a character set that has overlaps between its single byte and
multi-byte character encodings, in the GNU C Library version 2.43 or
earlier, may result in an attempt to read bytes before an allocated
buffer, potentially resulting in unintentional disclosure of neighboring
data in the heap, or a program crash.

A bug in the wide character pushback implementation
(_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate
on the regular character buffer (fp->_IO_read_ptr) instead of the actual
wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program
crash may happen in cases where fp->_IO_read_ptr is not initialized and
hence points to NULL. The buffer under-read requires a special situation
where the input character encoding is such that there are overlaps
between single byte representations and multibyte representations in
that encoding, resulting in spurious matches.  The spurious match case
is not possible in the standard Unicode character sets.

CVE-Id: CVE-2026-5928
Public-Date: 2026-03-17
Reported-by: Rocket Ma
Vulnerable-Commit: d64b6ad07585b8a37e5fecc9a47fcee766d52ede (2.1.1-89)

Notes:
======

Published advisories are available directly in the project git repository:
https://sourceware.org/git/?p=glibc.git;a=tree;f=advisories;hb=HEAD

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.