EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the GNU C Library (glibc), which is a core component of many Linux-based operating systems. The affected products and versions include glibc version 2.43 and older, with three distinct vulnerabilities ranging from heap overflows to memory disclosure flaws. These vulnerabilities pose a significant risk to the stability and security of the Linux ecosystem, potentially allowing attackers to exploit legacy systems, modern applications, and common functions used in development. Business risk and impact are substantial, as successful exploitation could lead to data breaches, system crashes, and unauthorized access to sensitive information.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the GNU C Library (glibc), which is a core component of many Linux-based operating systems. The affected products and versions include glibc version 2.43 and older, with three distinct vulnerabilities ranging from heap overflows to memory disclosure flaws. These vulnerabilities pose a significant risk to the stability and security of the Linux ecosystem, potentially allowing attackers to exploit legacy systems, modern applications, and common functions used in development. Business risk and impact are substantial, as successful exploitation could lead to data breaches, system crashes, and unauthorized access to sensitive information.[emaillocker id="1283"]
CVE-2026-5358 with a CVSS score of 8.5 – A static buffer overflow exists in the nis_local_principal function, affecting glibc version 2.43 and older. An attacker can spoof a crafted response to a UDP request generated by this function, leading to overwriting neighboring static data within the requesting application. This vulnerability is exploitable with a simple UDP request and requires NIS support, which has been deprecated since version 2.26.
CVE-2026-5450 with a CVSS score of 7.5 – A heap buffer overflow exists within the scanf family of functions when using the malloc’d character match specifier, affecting versions 2.7 through 2.43. An attacker can achieve a controlled single-byte overwrite past the end of the heap buffer by exploiting a bug in the buffer growth formula in _vfscanf_internal.
CVE-2026-5928 with a CVSS score of 6.5 – The ungetwc function is vulnerable to a potential buffer under-read, impacting glibc version 2.43 and earlier. A bug in the wide character pushback implementation causes ungetwc() to incorrectly operate on the regular character buffer instead of the wide-stream read pointer, resulting in an unintentional disclosure of neighboring data in the heap or a program crash.
The identified vulnerabilities pose a significant risk to the stability and security of the Linux ecosystem. Successful exploitation could lead to data breaches, system crashes, and unauthorized access to sensitive information. It is essential for developers and system administrators to take immediate action to mitigate these risks.
RECOMMENDATION:
We recommend you to update glibc to version 2.44.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/glibc-vulnerabilities-2026-linux-security-flaws/