CVE-2026-6238
Received Received - Intake
Memory Corruption in Deprecated GNU C Library DNS Debug Functions

Publication date: 2026-04-28

Last updated on: 2026-05-04

Assigner: GNU C Library

Description
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6238
EUVD
EUVD-2026-26071
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu glibc From 2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves deprecated functions in the GNU C Library (glibc) version 2.2 and newer, specifically ns_printrrf, ns_printrr, and fp_nquery. These functions fail to properly validate the RDATA content against the RDATA length in DNS responses when processing certain DNS record types such as LOC, CERT, TKEY, or TSIG.

Because of this lack of validation, an attacker can craft a malicious DNS response that causes the target application to either crash or read uninitialized memory.

These functions are intended only for application debugging and are not part of the DNS resolver's normal code path. They have been deprecated since version 2.34 and should not be used in new applications.

Impact Analysis

If an application uses these deprecated functions to process DNS responses, an attacker could exploit this vulnerability by sending specially crafted DNS responses.

The impact could be that the target application crashes or reads uninitialized memory, which may lead to undefined behavior or potential information disclosure.

However, since these functions are for debugging only and not used in the DNS resolver's normal operation, the risk is limited to applications that explicitly use these deprecated interfaces.

Mitigation Strategies

The vulnerable functions ns_printrrf, ns_printrr, and fp_nquery are deprecated and intended only for debugging purposes. Immediate mitigation involves ensuring that applications do not use these deprecated functions, especially since they have been deprecated since version 2.34 of the GNU C Library.

Applications should consider porting away from these interfaces as they may be removed in future versions, thereby avoiding the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart