CVE-2026-4438
published 2026-03-20CVE-2026-4438: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version…
medium5.4CVSS 3.1
AVAACLPRNUINSUCLILAN
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glibc | < glibc 2.42-14 (forky) | glibc 2.42-14 (forky) |
| gnu | glibc | >= 0 < 2.42-14 | 2.42-14 |
| gnu | glibc | 2.34 – 2.43 | — |
| msrc | azl3_glibc_2.38-18_on_azure_linux_3.0 | — | — |
| msrc | cbl2_glibc_2.35-10_on_cbl_mariner_2.0 | — | — |
| the_gnu_c_library | glibc | 2.34 – 2.43 | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv5.4MEDIUM