rpms/glibc
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

[security][CRITICAL] glibc 2.42: 7 CVE require triage #1

New issue
Closed
opened 2026-04-29 04:36:03 +03:00 by sbelikov · 2 comments
sbelikov commented 2026-04-29 04:36:03 +03:00
Owner
Copy link

CVE triage request / Запрос на разбор CVE

Package / Пакет

  • Package: glibc
  • Version: 2.42
  • EVR: 2.42-1
  • Category: toolchain
  • Policy class: core-system
  • NiceOS policy class: -
  • Owner: toolchain-team
  • Severity: CRITICAL
  • Max CVSS: 9.8
  • CVE count: 7

LLM recommendation / Рекомендация LLM

RU

Критическая уязвимость переполнения буфера в функции scanf семейства GNU C Library (glibc) при использовании спецификатора формата %mc с шириной более 1024. Также выявлены уязвимости в memalign, wordexp, getnetbyaddr, iconv, gethostbyaddr и ungetwc в версиях glibc до 2.43.

Немедленно обновить пакет glibc до версии 2.43 или новее, содержащей исправления для всех перечисленных CVE. Если обновление невозможно, рассмотреть временные меры (например, удаление неиспользуемых кодировок IBM1390/IBM1399 для CVE-2026-4046), но это не устраняет остальные уязвимости.

Рекомендуемое действие: update_package

Подсказка по целевой версии: 2.43

Проверки: 1. Проверить версию установленного пакета glibc (rpm -q glibc). 2. Подтвердить, что версия >= 2.43. 3. Протестировать уязвимые сценарии (scanf с %mc, memalign с большим выравниванием) на обновленной системе, чтобы убедиться в отсутствии краша или утечки памяти.

Риски: Полный контроль над памятью процесса (RCE) через переполнение буфера в scanf. Возможность краха процесса или утечки чувствительных данных через уязвимости в wordexp, getnetbyaddr, ungetwc и иконвертации. Уязвимость memalign позволяет вызвать коррумпирование кучи.

EN

Critical heap buffer overflow in the GNU C Library (glibc) scanf family when using %mc format specifier with width > 1024. Additional vulnerabilities identified in memalign, wordexp, getnetbyaddr, iconv, gethostbyaddr, and ungetwc in glibc versions prior to 2.43.

Immediately update the glibc package to version 2.43 or later, which contains fixes for all listed CVEs. If an update is not feasible, consider temporary mitigations (e.g., removing unused IBM1390/IBM1399 character sets for CVE-2026-4046), but this does not address the other vulnerabilities.

Recommended action: update_package

Target version hint: 2.43

Tests: 1. Check installed glibc package version (rpm -q glibc). 2. Confirm version >= 2.43. 3. Test vulnerable scenarios (scanf with %mc, memalign with large alignment) on the updated system to ensure no crash or memory leak occurs.

Risks: Full process memory control (RCE) via buffer overflow in scanf. Potential process crash or sensitive data leakage through vulnerabilities in wordexp, getnetbyaddr, ungetwc, and iconv. The memalign vulnerability allows heap corruption.

CVE candidates from NVD/CPE

CVE Severity CVSS Match NiceOS status Reason
CVE-2026-5450 CRITICAL 9.8 cpe-range needs_triage package version is inside version range
CVE-2026-0861 HIGH 8.4 cpe-range needs_triage package version is inside version range
CVE-2025-15281 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-0915 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-4046 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-4437 HIGH 7.5 cpe-range needs_triage package version is inside version range
CVE-2026-5928 HIGH 7.5 cpe-range needs_triage package version is inside version range

Descriptions

CVE-2026-5450

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.

CVE-2026-0861

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.

Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

CVE-2025-15281

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

CVE-2026-0915

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

CVE-2026-4046

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.

This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

CVE-2026-4437

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

CVE-2026-5928

Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash.

A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.

Maintainer checklist

  • Verify whether each CVE applies to the NiceOS build.
  • Compare NVD data with upstream/vendor advisory.
  • Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
  • If affected, decide update/backport strategy according to package policy class.
  • Run package-class-specific build, upgrade and regression tests.
  • Add/update niceos_cve_triage entry.
  • Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-15281",
    "CVE-2026-0861",
    "CVE-2026-0915",
    "CVE-2026-4046",
    "CVE-2026-4437",
    "CVE-2026-5450",
    "CVE-2026-5928"
  ],
  "fingerprint": "da951e0abb3c8d68e465",
  "generated_at": "2026-04-29T01:36:03Z",
  "package": "glibc",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "2.42"
}
<!-- niceos-cve-fingerprint: da951e0abb3c8d68e465 --> # CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `glibc` - Version: `2.42` - EVR: `2.42-1` - Category: `toolchain` - Policy class: `core-system` - NiceOS policy class: `-` - Owner: `toolchain-team` - Severity: `CRITICAL` - Max CVSS: `9.8` - CVE count: `7` ## LLM recommendation / Рекомендация LLM ### RU Критическая уязвимость переполнения буфера в функции scanf семейства GNU C Library (glibc) при использовании спецификатора формата %mc с шириной более 1024. Также выявлены уязвимости в memalign, wordexp, getnetbyaddr, iconv, gethostbyaddr и ungetwc в версиях glibc до 2.43. Немедленно обновить пакет glibc до версии 2.43 или новее, содержащей исправления для всех перечисленных CVE. Если обновление невозможно, рассмотреть временные меры (например, удаление неиспользуемых кодировок IBM1390/IBM1399 для CVE-2026-4046), но это не устраняет остальные уязвимости. **Рекомендуемое действие:** `update_package` **Подсказка по целевой версии:** `2.43` **Проверки:** 1. Проверить версию установленного пакета glibc (rpm -q glibc). 2. Подтвердить, что версия >= 2.43. 3. Протестировать уязвимые сценарии (scanf с %mc, memalign с большим выравниванием) на обновленной системе, чтобы убедиться в отсутствии краша или утечки памяти. **Риски:** Полный контроль над памятью процесса (RCE) через переполнение буфера в scanf. Возможность краха процесса или утечки чувствительных данных через уязвимости в wordexp, getnetbyaddr, ungetwc и иконвертации. Уязвимость memalign позволяет вызвать коррумпирование кучи. ### EN Critical heap buffer overflow in the GNU C Library (glibc) scanf family when using %mc format specifier with width > 1024. Additional vulnerabilities identified in memalign, wordexp, getnetbyaddr, iconv, gethostbyaddr, and ungetwc in glibc versions prior to 2.43. Immediately update the glibc package to version 2.43 or later, which contains fixes for all listed CVEs. If an update is not feasible, consider temporary mitigations (e.g., removing unused IBM1390/IBM1399 character sets for CVE-2026-4046), but this does not address the other vulnerabilities. **Recommended action:** `update_package` **Target version hint:** `2.43` **Tests:** 1. Check installed glibc package version (rpm -q glibc). 2. Confirm version >= 2.43. 3. Test vulnerable scenarios (scanf with %mc, memalign with large alignment) on the updated system to ensure no crash or memory leak occurs. **Risks:** Full process memory control (RCE) via buffer overflow in scanf. Potential process crash or sensitive data leakage through vulnerabilities in wordexp, getnetbyaddr, ungetwc, and iconv. The memalign vulnerability allows heap corruption. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-5450 | CRITICAL | 9.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-0861 | HIGH | 8.4 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-15281 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-0915 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-4046 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-4437 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-5928 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-5450 Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. ### CVE-2026-0861 Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption. Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments. ### CVE-2025-15281 Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. ### CVE-2026-0915 Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver. ### CVE-2026-4046 The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them. ### CVE-2026-4437 Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer. ### CVE-2026-5928 Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-15281", "CVE-2026-0861", "CVE-2026-0915", "CVE-2026-4046", "CVE-2026-4437", "CVE-2026-5450", "CVE-2026-5928" ], "fingerprint": "da951e0abb3c8d68e465", "generated_at": "2026-04-29T01:36:03Z", "package": "glibc", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "2.42" } ```
sbelikov commented 2026-04-29 20:10:21 +03:00
Author
Owner
Copy link

Triage update

The glibc 2.42 backport status was reviewed for the 7 CVEs listed in this issue.

Backport prepared

Upstream stable commits were found in release/2.42/master, and RPM patches were prepared for the following CVEs:

CVE Status Upstream commit NiceOS patch
CVE-2026-0861 backported b0ec8fb689df862171f0f78994a3bdeb51313545 Patch1001
CVE-2026-0915 backported 453e6b8dbab935257eb0802b0c97bca6b67ba30e Patch1002
CVE-2025-15281 backported cbf39c26b25801e9bc88499b4fd361ac172d4125 Patch1003
CVE-2025-15281 test/backport companion 1a19d5a507eb82a2cf1cf8bd1c14ca1758fb8a82 Patch1004
CVE-2026-4437 backported 8e863fb1c92360520704a69dc948be6bb4a17cb3 Patch1005
CVE-2026-4046 backported f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a Patch1006

The package Release was bumped from 1%{?dist} to 2%{?dist}.

The backport patches were added to:

  • patches/
  • SOURCES/
  • SPECS/glibc.spec

During patch preparation, non-runtime NEWS hunks were stripped from the exported upstream patches because they conflicted with the downstream source tree and are not part of the actual runtime/security fixes.

Still pending

The following CVEs are not fixed by the current backport set:

CVE Current status Reason
CVE-2026-5450 deferred / waiting for upstream Upstream Git contains advisory GLIBC-SA-2026-0009, but the advisory does not contain a Fix-Commit entry. No real fix commit for BZ #34008 was found in origin/master, release/2.43/master, or release/2.42/master.
CVE-2026-5928 deferred / waiting for upstream Upstream Git contains advisory GLIBC-SA-2026-0010, but the advisory does not contain a Fix-Commit entry. No real fix commit for BZ #33998 was found in origin/master, release/2.43/master, or release/2.42/master.

The following upstream commits must not be used as security backport patches because they only add advisory text and do not change the affected runtime code:

  • 9895db657ad9e19b1fb2d7716b00d0e6f84f1c32 — advisory text for CVE-2026-5450;
  • da3863e62e8ff1abc6b92cfe6d899ca3e80c8c4b — advisory text for CVE-2026-5358 / CVE-2026-5928.

Next actions

  • Keep CVE-2026-5450 and CVE-2026-5928 open as deferred / upstream-waiting until upstream publishes real Fix-Commit entries or reviewed patchwork-based backports are accepted for downstream use.
  • Prepare a NiceOS security advisory only for the CVEs that are actually fixed in the published package build.
## Triage update The `glibc` 2.42 backport status was reviewed for the 7 CVEs listed in this issue. ### Backport prepared Upstream stable commits were found in `release/2.42/master`, and RPM patches were prepared for the following CVEs: | CVE | Status | Upstream commit | NiceOS patch | |---|---|---|---| | CVE-2026-0861 | backported | `b0ec8fb689df862171f0f78994a3bdeb51313545` | `Patch1001` | | CVE-2026-0915 | backported | `453e6b8dbab935257eb0802b0c97bca6b67ba30e` | `Patch1002` | | CVE-2025-15281 | backported | `cbf39c26b25801e9bc88499b4fd361ac172d4125` | `Patch1003` | | CVE-2025-15281 | test/backport companion | `1a19d5a507eb82a2cf1cf8bd1c14ca1758fb8a82` | `Patch1004` | | CVE-2026-4437 | backported | `8e863fb1c92360520704a69dc948be6bb4a17cb3` | `Patch1005` | | CVE-2026-4046 | backported | `f13c1bb0f97fbc12a6ba1ab5669ce561ea32b80a` | `Patch1006` | The package `Release` was bumped from `1%{?dist}` to `2%{?dist}`. The backport patches were added to: - `patches/` - `SOURCES/` - `SPECS/glibc.spec` During patch preparation, non-runtime `NEWS` hunks were stripped from the exported upstream patches because they conflicted with the downstream source tree and are not part of the actual runtime/security fixes. ### Still pending The following CVEs are **not fixed by the current backport set**: | CVE | Current status | Reason | |---|---|---| | CVE-2026-5450 | deferred / waiting for upstream | Upstream Git contains advisory `GLIBC-SA-2026-0009`, but the advisory does not contain a `Fix-Commit` entry. No real fix commit for `BZ #34008` was found in `origin/master`, `release/2.43/master`, or `release/2.42/master`. | | CVE-2026-5928 | deferred / waiting for upstream | Upstream Git contains advisory `GLIBC-SA-2026-0010`, but the advisory does not contain a `Fix-Commit` entry. No real fix commit for `BZ #33998` was found in `origin/master`, `release/2.43/master`, or `release/2.42/master`. | The following upstream commits must **not** be used as security backport patches because they only add advisory text and do not change the affected runtime code: - `9895db657ad9e19b1fb2d7716b00d0e6f84f1c32` — advisory text for `CVE-2026-5450`; - `da3863e62e8ff1abc6b92cfe6d899ca3e80c8c4b` — advisory text for `CVE-2026-5358` / `CVE-2026-5928`. ### Next actions - Keep `CVE-2026-5450` and `CVE-2026-5928` open as `deferred` / `upstream-waiting` until upstream publishes real `Fix-Commit` entries or reviewed patchwork-based backports are accepted for downstream use. - Prepare a NiceOS security advisory only for the CVEs that are actually fixed in the published package build.
sbelikov commented 2026-05-25 18:15:09 +03:00
Author
Owner
Copy link

Fixed in Build glibc 2.42-3.niceosc5

Fixed in Build glibc 2.42-3.niceosc5
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
niceos-5.2
security/glibc-2.42-cve-backports
No results found.
Labels
Clear labels   
cve
Created by niceos_cve_create_issues.py

  
llm-analysis
Created by niceos_cve_create_issues.py

  
needs-triage
Created by niceos_cve_create_issues.py

  
security
Created by niceos_cve_create_issues.py

  
severity-critical
Created by niceos_cve_create_issues.py

  
source-nvd
Created by niceos_cve_create_issues.py

No labels
cve
llm-analysis
needs-triage
security
severity-critical
source-nvd
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rpms/glibc#1
No description provided.