Static buffer overflow in deprecated nis_local_principal
Summary
| CVE | CVE-2026-5358 |
|---|---|
| State | PUBLISHED |
| Assigner | glibc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-20 21:16:36 UTC |
| Updated | 2026-04-20 21:16:36 UTC |
| Description | The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application. NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services. |
Risk And Classification
Problem Types: CWE-120 | CWE-120 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | The GNU C Library | Glibc | affected 2.43 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| sourceware.org/bugzilla/show_bug.cgi | 3ff69d7a-14f2-4f67-a097-88dee7810d18 | sourceware.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Rahul Hoysala (en)
There are currently no legacy QID mappings associated with this CVE.