PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6238 The GNU C Library CVE debrief

CVE-2026-6238 is a vulnerability in the GNU C Library's deprecated functions ns_printrrf, ns_printrr, and fp_nquery. These functions, used for application debugging, fail to validate RDATA content against the RDATA length in DNS responses for A6, CERT, LOC, TKEY, or TSIG records. This oversight may allow an attacker to craft a malicious DNS response, potentially causing a target application to crash or read uninitialized memory. The affected versions of the GNU C Library range from 2.0.1 to 2.43. Given that these functions have been deprecated since version 2.34 and are not in the path of code executed by the DNS resolver, the risk is somewhat mitigated. However, applications using these interfaces may still be vulnerable. The CVSS score for this vulnerability is 6.5, indicating a medium severity level.

Vendor
The GNU C Library
Product
glibc
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-06-19
Advisory published
2026-04-28
Advisory updated
2026-06-19

Who should care

Organizations using applications that utilize the GNU C Library's deprecated functions ns_printrrf, ns_printrr, and fp_nquery should be aware of this vulnerability. Specifically, developers and maintainers of applications that have not yet ported away from these deprecated interfaces should prioritize assessing their exposure and implementing mitigations. This includes reviewing application code for usage of these functions and planning for updates or replacements. Additionally, security teams should monitor for potential exploitation attempts targeting this vulnerability.

Technical summary

The GNU C Library (glibc) versions 2.0.1 to 2.43 contain a vulnerability in the deprecated functions ns_printrrf, ns_printrr, and fp_nquery. These functions are used for debugging purposes and are not part of the standard DNS resolver code path. The vulnerability arises from the functions' failure to validate the RDATA content against the RDATA length in DNS responses for certain record types (A6, CERT, LOC, TKEY, or TSIG). This could allow an attacker to craft a malicious DNS response that might cause a target application to crash or read uninitialized memory. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L, reflecting a medium severity with a score of 6.5.

Defensive priority

Medium priority due to the specific conditions required for exploitation and the availability of mitigations.

Recommended defensive actions

  • Inventory applications and services using GNU C Library versions 2.0.1 to 2.43 to identify potential exposure.
  • Review application code for usage of deprecated functions ns_printrrf, ns_printrr, and fp_nquery.
  • Plan for porting away from these deprecated interfaces to newer, supported functions.
  • Monitor for potential exploitation attempts targeting this vulnerability.
  • Apply patches or updates from the GNU C Library maintainers when available.

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-6238 record and the National Vulnerability Database (NVD) detail page. The affected product is GNU C Library (glibc), with versions 2.0.1 to 2.43 being vulnerable. The CVE and NVD entries provide details on the nature of the vulnerability, its CVSS score, and references to additional information. The vulnerability is in the deprecated functions ns_printrrf, ns_printrr, and fp_nquery, which are not used by the DNS resolver but could be exploited in applications using these functions for debugging.

Official resources

This article is AI-assisted and based on the supplied source corpus.