CVE-2026-4438

gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames

Published: 3/20/2026 Last updated: 3/23/2026 Reserved: 3/19/2026

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

CNA assigner: glibc (3ff69d7a-14f2-4f67-a097-88dee7810d18) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	5.4	Medium	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Opam packages affected (1)

gettext-stub

Products affected (2)

Product	Vendor	Version
glibc	The GNU C Library	< 10.0.25398.1791
glibc	The GNU C Library	< 10.0.26100.2894

References (2)

https://sourceware.org/bugzilla/show_bug.cgi?id=34015
https://sourceware.org/bugzilla/show_bug.cgi?id=34015

Credits (2)

1 Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me
1 Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me