CVE-2026-5358 - Vulnerability Details

- glibc: glibc: Data corruption or denial of service via buffer overflow in nis_local_principal function

Description

REJECTED: CVE-2026-5358 is rejected for two reasons. Firstly it has been discovered that no NIS+ client or server was ever released for any Linux-based OS distributions and as such this makes the API provisional and unused. Secondly it has been discovered that the NIS+ cold start cache (/var/nis/NIS_COLD_START) cannot be bypassed and as such the API can only be called with a trusted server from the pre-populated cache. The use of a trusted server means no trust boundary is crossed and this is therefore considered a normal bug.

Published: 2026-04-20

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The obsolete nis_local_principal function in the GNU C Library (glibc) up to version 2.43 may overflow a static buffer in the data section. This overflow can allow an attacker to craft a malicious UDP response that overwrites neighboring static data used by the requesting application. Such memory corruption can lead to arbitrary code execution or privilege escalation if the overwritten data influences program control flows. The vulnerability is a classic stack or data segment overflow (CWE‑120).

Affected Systems

The affected product is the GNU C Library, also known as glibc. Versions 2.43 and all earlier releases contain the vulnerable nis_local_principal implementation. NIS support was deprecated in glibc 2.26 but is still maintained for legacy use.

Risk and Exploitability

The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is 9.1, but a buffer overflow of this nature is generally considered high impact. Because the exploit requires triggering a UDP request processed by the deprecated NIS function, it is likely limited to environments that still enable NIS. No public exploits have been reported, but the potential for remote code execution exists if an attacker can induce the application to process a crafted NIS response.

No data.

Vendor Product Confidence Versions

The Gnu C Library

Glibc

100%

Version	Status	Scheme	Platform
`[0,2.43]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the GNU C Library to the latest release (glibc ≥2.44) which removes the nis_local_principal function.
Migrate any applications that use NIS to modern identity and access‑management services.
If immediate upgrade is not possible, rebuild or reconfigure glibc to disable NIS support or compile the library without the deprecated NIS components.

Generated by OpenCVE AI on April 22, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-5358
https://sourceware.org/bugzilla/show_bug.cgi?id=34067
https://www.cve.org/CVERecord?id=CVE-2026-5358

History

Wed, 22 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}`	cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}`

Wed, 22 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Title	Static buffer overflow in deprecated nis_local_principal	glibc: glibc: Data corruption or denial of service via buffer overflow in nis_local_principal function
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description	The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application. NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.	REJECTED: CVE-2026-5358 is rejected for two reasons. Firstly it has been discovered that no NIS+ client or server was ever released for any Linux-based OS distributions and as such this makes the API provisional and unused. Secondly it has been discovered that the NIS+ cold start cache (/var/nis/NIS_COLD_START) cannot be bypassed and as such the API can only be called with a trusted server from the pre-populated cache. The use of a trusted server means no trust boundary is crossed and this is therefore considered a normal bug.

Wed, 22 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-5358 https://www.cve.org/CVERecord?id=CVE-2026-5358
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 21 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		The Gnu C Library The Gnu C Library glibc
Vendors & Products		The Gnu C Library The Gnu C Library glibc

Mon, 20 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application. NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.
Title		Static buffer overflow in deprecated nis_local_principal
Weaknesses		CWE-120
References		https://sourceware.org/bugzilla/show_bug.cgi?id=34067

Subscriptions

The Gnu C Library Glibc

MITRE

Status: REJECTED

Assigner: glibc

Published: 2026-04-20T20:37:23.178Z

Updated: 2026-04-22T13:04:20.656Z

Reserved: 2026-04-01T17:07:51.437Z

Link: CVE-2026-5358

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2026-04-20T21:16:36.713

Modified: 2026-04-22T14:17:05.687

Link: CVE-2026-5358

Redhat

Severity : Important

Publid Date: 2026-04-20T20:37:23Z

Links: CVE-2026-5358 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T06:00:09Z

Weaknesses

CWE-120

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object