CVE-2026-25506

CWE-787 — Out-of-bounds Write CWE-120 — Classic Buffer Overflow7 documents7 sources

Severity

7.8HIGH

EPSS

0.0%

top 94.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Opensuse Munge DUN Munge Debian Debian Linux

Timeline

PublishedFeb 10

Latest updateFeb 12

Description

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted m…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:LExploitability: 1.1 | Impact: 6.0

Affected Packages3 packages

▶NVDopensuse/munge0.5 — 0.5.18

▶Debianmunge< 0.5.14-4+deb11u1+3

▶CVEListV5dun/munge>= 0.5, < 0.5.18

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

CVEList

MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery↗2026-02-10

▶

OSV

CVE-2026-25506: MUNGE is an authentication service for creating and validating user credentials↗2026-02-10

▶

📋Vendor Advisories

Ubuntu

MUNGE vulnerability↗2026-02-12

▶

Red Hat

MUNGE: MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery↗2026-02-10

▶

Debian

CVE-2026-25506: munge - MUNGE is an authentication service for creating and validating user credentials....↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-25506 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶