CVE-2026-5358
Received Received - Intake
Buffer Overflow in GNU C Library nis_local_principal Function

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: GNU C Library

Description
Rejected reason: REJECTED: CVE-2026-5358 is rejected for two reasons. Firstly it has been discovered that no NIS+ client or server was ever released for any Linux-based OS distributions and as such this makes the API provisional and unused. Secondly it has been discovered that the NIS+ cold start cache (/var/nis/NIS_COLD_START) cannot be bypassed and as such the API can only be called with a trusted server from the pre-populated cache. The use of a trusted server means no trust boundary is crossed and this is therefore considered a normal bug.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-04-22
NVD
CVE-2026-5358
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu gnu_c_library to 2.26 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the obsolete nis_local_principal function of the GNU C Library version 2.43 and older. This function may overflow a buffer located in the data section. An attacker could exploit this by spoofing a crafted response to a UDP request generated by this function, which could then overwrite neighboring static data in the requesting application.

Since NIS support is obsolete and deprecated since version 2.26 of the GNU C Library, this vulnerability affects legacy systems still using NIS for identity and access management.

Impact Analysis

This vulnerability can allow an attacker to overwrite static data in an application by sending a crafted UDP response. This could lead to unexpected behavior, potential application crashes, or exploitation of the application by manipulating its memory.

Because the vulnerability involves buffer overflow and data overwriting, it may be used to compromise the security or stability of applications relying on the vulnerable function.

Mitigation Strategies

The vulnerability is related to the obsolete nis_local_principal function in GNU C Library versions 2.43 and older. Since NIS support is deprecated and only maintained for legacy usage, the recommended mitigation is to port applications away from NIS to more modern identity and access management services.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5358. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart