Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-0026

NIXPKGS-2026-0026
published on
Permalink CVE-2026-0915
7.5 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): None (N)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): None (N)
updated 3 months, 4 weeks ago by @LeSuisse Activity log
  • Created suggestion 3 months, 4 weeks ago
  • @LeSuisse ignored
    24 packages
    • iconv
    • getent
    • locale
    • libc
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibcLocales
    • glibc_memusage
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    3 months, 4 weeks ago
  • @LeSuisse accepted 3 months, 4 weeks ago
  • @LeSuisse published on GitHub 3 months, 4 weeks ago
getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Ignored packages (24)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Package maintainers

Upstream advisory: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0002;hb=HEAD