CVE-2026-4438

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* - VULNERABLE

GNU C Library (glibc) 2.34 - 2.43

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#include <stdio.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

// PoC for CVE-2026-4438: glibc gethostbyaddr invalid hostname
// This code demonstrates the vulnerable function call.
// Requires an environment where nsswitch.conf uses DNS backend
// and a malicious DNS server responds to the target IP.

int main() {
    struct hostent *he;
    struct in_addr addr;
    
    // Target IP address (e.g., local network IP)
    inet_aton("192.168.1.100", &addr);

    // Vulnerable function call
    he = gethostbyaddr(&addr, sizeof(addr), AF_INET);

    if (he == NULL) {
        herror("gethostbyaddr");
        return 1;
    }

    // Output the potentially invalid hostname
    printf("Official name: %s\n", he->h_name);
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4438
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4438
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4438/
[4] VulDB https://vuldb.com/cve/CVE-2026-4438
[5] https://sourceware.org/bugzilla/show_bug.cgi?id=34015

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4438", "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "published": "2026-03-20T20:16:49.623", "lastModified": "2026-04-07T18:40:02.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification."}, {"lang": "es", "value": "Llamar a gethostbyaddr o gethostbyaddr_r con un nsswitch.conf configurado que especifica el backend DNS de la biblioteca en la biblioteca GNU C versión 2.34 a la versión 2.43 podría resultar en que se devuelva un nombre de host DNS no válido al llamador en violación de la especificación DNS."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-88"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.34", "versionEndIncluding": "2.43", "matchCriteriaId": "1ECF98C3-1D14-492E-9FE0-241B03BF8550"}]}]}], "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34015", "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Exploit", "Issue Tracking", "Patch"]}]}}