Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: glibc

Found 4 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-4438
updated 6 days, 17 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 1 week, 2 days ago
  • @LeSuisse removed
    26 packages
    • tests.hardeningFlags.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • iconv
    • getent
    • locale
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibcLocales
    • glibc_memusage
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    6 days, 17 hours ago
  • @LeSuisse accepted 6 days, 17 hours ago
  • @LeSuisse published on GitHub 6 days, 17 hours ago
gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

References

Affected products

glibc
  • =<2.43

Matching in nixpkgs

Ignored packages (26)

pkgs.mtrace

Perl script used to interpret and provide human readable output of the trace log contained in the file mtracedata, whose contents were produced by mtrace(3)

Proposed patch: https://inbox.sourceware.org/libc-alpha/20260320194250.1089143-1-carlos@redhat.com/
Proposed advisory: https://inbox.sourceware.org/libc-alpha/20260320194804.1089897-2-carlos@redhat.com/
Permalink CVE-2025-15281
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed
    24 packages
    • getconf
    • mtrace
    • locale
    • getent
    • iconv
    • libc
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibc_memusage
    • glibcLocales
    • glibcLocalesUtf8
    • unixtools.getent
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • unixtools.getconf
    • unixtools.locale
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

References

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Package maintainers

Upstream advisory: https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2026-0003;h=b7a6e83a1096b20e50613581f6de148302752ff3;hb=HEAD
Permalink CVE-2026-0915
7.5 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed
    24 packages
    • iconv
    • getent
    • locale
    • libc
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibc_multi
    • glibcLocales
    • glibc_memusage
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
getnetbyaddr and getnetbyaddr_r leak stack contents to DNS resovler

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

References

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Package maintainers

Upstream advisory: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0002;hb=HEAD
Permalink CVE-2026-0861
8.4 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 1 week ago by @LeSuisse Activity log
  • Created automatic suggestion 2 months, 1 week ago
  • @LeSuisse removed
    21 packages
    • tests.hardeningFlags-gcc.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-clang.glibcxxassertionsStdenvUnsupp
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-gcc.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitEnabled
    • tests.hardeningFlags-clang.glibcxxassertionsExplicitDisabled
    • tests.hardeningFlags-gcc.allExplicitDisabledGlibcxxAssertions
    • tests.hardeningFlags-clang.allExplicitDisabledGlibcxxAssertions
    • glibcLocalesUtf8
    • unixtools.getent
    • unixtools.locale
    • unixtools.getconf
    • getent
    • locale
    • iconv
    • mtrace
    • getconf
    • libiconv
    • glibcInfo
    • glibcLocales
    2 months, 1 week ago
  • @LeSuisse accepted 2 months, 1 week ago
  • @LeSuisse published on GitHub 2 months, 1 week ago
Integer overflow in memalign leads to heap corruption

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc, valloc, pvalloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

References

Affected products

glibc
  • =<2.42

Matching in nixpkgs

Package maintainers

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0001