CVE-2026-4437

gethostbyaddr and gethostbyaddr_r may incorrectly handle DNS response

Published: 3/20/2026 Last updated: 3/23/2026 Reserved: 3/19/2026

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

CNA assigner: glibc (3ff69d7a-14f2-4f67-a097-88dee7810d18) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.5	High	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Opam packages affected (1)

gettext-stub

Products affected (1)

Product	Vendor	Version
glibc	The GNU C Library	< 10.0.26100.2894

References (2)

Credits (4)

1 Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me
2 Kevin Farrell
1 Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me
2 Kevin Farrell