CVE-2026-6238
Modified Modified - Updated After Analysis

Memory Corruption in Deprecated GNU C Library DNS Debug Functions

Vulnerability report for CVE-2026-6238, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-28

Last updated on: 2026-06-19

Assigner: GNU C Library

Description

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.0.1 to version 2.43 fail to validate the RDATA content against the RDATA length in a DNS response when processing A6, CERT, LOC, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-28
Last Modified
2026-06-19
Generated
2026-07-06
AI Q&A
2026-04-28
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gnu glibc From 2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves deprecated functions in the GNU C Library (glibc) version 2.2 and newer, specifically ns_printrrf, ns_printrr, and fp_nquery. These functions fail to properly validate the RDATA content against the RDATA length in DNS responses when processing certain DNS record types such as LOC, CERT, TKEY, or TSIG.

Because of this lack of validation, an attacker can craft a malicious DNS response that causes the target application to either crash or read uninitialized memory.

These functions are intended only for application debugging and are not part of the DNS resolver's normal code path. They have been deprecated since version 2.34 and should not be used in new applications.

Impact Analysis

If an application uses these deprecated functions to process DNS responses, an attacker could exploit this vulnerability by sending specially crafted DNS responses.

The impact could be that the target application crashes or reads uninitialized memory, which may lead to undefined behavior or potential information disclosure.

However, since these functions are for debugging only and not used in the DNS resolver's normal operation, the risk is limited to applications that explicitly use these deprecated interfaces.

Mitigation Strategies

The vulnerable functions ns_printrrf, ns_printrr, and fp_nquery are deprecated and intended only for debugging purposes. Immediate mitigation involves ensuring that applications do not use these deprecated functions, especially since they have been deprecated since version 2.34 of the GNU C Library.

Applications should consider porting away from these interfaces as they may be removed in future versions, thereby avoiding the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart