CVE-2026-4438

MEDIUM EPSS 8.7%

Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago

5.4 CVSS 3.1

Medium

Published Mar 20, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

CVSS Details

Base Score

5.4

Exploitability

2.8

Impact

2.5

Vector string

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector Adjacent

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

8.7% percentile

Exploit & Patch Status

Public Exploit Known

Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation

CWE-88

Affected Products 1

Vendor	Product	Version	Range
gnu	glibc	*	≥2.34 – ≤2.43

References 1

sourceware.org https://sourceware.org/bugzilla/show_bug.cgi?id=34015

ExploitIssue TrackingPatch

Remediation

sourceware.org https://sourceware.org/bugzilla/show_bug.cgi?id=34015

ExploitIssue TrackingPatch