CVE-2026-4438

CWE-20Improper Input ValidationCWE-88CWE-8388 documents8 sources
Severity
5.4MEDIUM
EPSS
0.0%
top 91.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
THE GNU C Library GlibcGNU Glibc
Timeline
PublishedMar 20

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages3 packages

CVEListV5the_gnu_c_library/glibc2.342.43
Debianglibc< 2.42-14
NVDgnu/glibc2.342.43

Patches

Patch: sourceware.org

🔴Vulnerability Details

3
GHSA
GHSA-935r-rfch-9mr7: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch2026-03-20
CVEList
gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames2026-03-20
OSV
CVE-2026-4438: Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch2026-03-20

📋Vendor Advisories

3
Red Hat
glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions2026-03-20
Microsoft
gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames2026-03-10
Debian
CVE-2026-4438: glibc - Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that sp...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-4438 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-4438 (MEDIUM CVSS 5.4) | Calling gethostbyaddr or gethostbya | cvebase.io