IM
IronMonkey Threat Research

CVE-2026-4437 HIGH

Published: 2026-03-20 | Last Modified: 2026-07-14 | Status: Modified

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Additional Descriptions (1)

Llamar a gethostbyaddr o gethostbyaddr_r con un nsswitch.conf configurado que especifica el backend DNS de la biblioteca en la GNU C Library versión 2.34 a la versión 2.43 podría, con una respuesta manipulada del servidor DNS configurado, resultar en una violación de la especificación DNS que hace que la aplicación trate una sección que no es de respuesta de la respuesta DNS como una respuesta válida.

CVSS Metrics

Base Score: 7.5 (HIGH)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorNETWORK
Attack ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Type: Secondary

Exploitability Score: 3.9

Impact Score: 3.6

Weaknesses

Source Type Description
3ff69d7a-14f2-4f67-a097-88dee7810d18 Secondary
en CWE-125

Affected Products

Vendor Product Version Update Type
gnu glibc * <built-in method update of dict object at 0x702bddbb21c0> Application

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*

References

Notification
Message here