CVE-2026-43958
Stack-Based Buffer Overflow in rrdcached
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in rrdcached can impact the integrity and confidentiality of data by allowing a local attacker to execute arbitrary code or cause a denial of service. Such impacts on data integrity and confidentiality could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
Mitigations such as restricting socket access, running the daemon as an unprivileged user, and applying bounds checks are important to reduce the risk and help maintain compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-43958 is a stack-based buffer overflow vulnerability found in the rrdcached daemon, a component of rrdtool. It occurs in the handle_request_create() function when processing CREATE requests that contain more than 128 Data Source (DS) or Round Robin Archive (RRA) arguments.
The function appends these arguments to a fixed-size stack array of 128 entries without proper bounds checking, which allows an attacker with local access to write beyond the array's limits and corrupt stack memory.
This flaw can be exploited by a local attacker who can connect to the rrdcached socket, potentially leading to denial of service by crashing the daemon or even arbitrary code execution.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to a denial of service by crashing the rrdcached daemon, disrupting monitoring or data collection services that rely on rrdtool.
More severely, it may allow an attacker to execute arbitrary code with the privileges of the rrdcached process, potentially leading to local privilege escalation.
This impacts the integrity and confidentiality of data handled by rrdtool, as unauthorized code execution could manipulate or expose sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the rrdcached daemon is running and if it is exposed via a local UNIX socket or TCP socket that accepts CREATE requests with more than 128 DS or RRA arguments.
You can verify the presence of the rrdcached socket by running commands such as:
- ls -l /tmp/rrdcached.sock
- ss -xl | grep rrdcached.sock
To check if the daemon is listening on TCP sockets (which is less common), you can use:
- ss -tlnp | grep rrdcached
Since exploitation requires sending oversized CREATE requests, monitoring or logging CREATE requests with more than 128 DS or RRA arguments could help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the rrdcached socket to trusted users only, avoiding exposure of the daemon via TCP sockets, and running the daemon as an unprivileged user.
Additionally, applying the patch or update that adds bounds checking to reject CREATE requests with more than 128 DS or RRA arguments is recommended.
- Restrict permissions on /tmp/rrdcached.sock to limit access.
- Disable or avoid configuring TCP listeners for rrdcached.
- Run rrdcached as a non-privileged user to limit impact of potential exploitation.
- Apply vendor patches or updates that fix the buffer overflow by adding proper bounds checks.