CVE-2026-4437

CWE-125Out-of-bounds ReadCWE-12868 documents8 sources
Severity
7.5HIGH
EPSS
0.0%
top 85.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE GNU C Library GlibcGNU Glibc
Timeline
PublishedMar 20

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5the_gnu_c_library/glibc2.342.43
Debianglibc< 2.42-14
NVDgnu/glibc2.342.43

Patches

Patch: sourceware.org

🔴Vulnerability Details

3
OSV
CVE-2026-4437: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch2026-03-20
GHSA
GHSA-m5wq-r4r4-4qrh: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch2026-03-20
CVEList
gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response2026-03-20

📋Vendor Advisories

3
Red Hat
glibc: glibc: Incorrect DNS response parsing via crafted DNS server response2026-03-20
Microsoft
gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response2026-03-10
Debian
CVE-2026-4437: glibc - Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that sp...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-4437 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-4437 (HIGH CVSS 7.5) | Calling gethostbyaddr or gethostbya | cvebase.io