Description
The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application.

NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.
Published: 2026-04-20
Score: n/a
EPSS: n/a
KEV: No
Impact: Remote Code Execution via buffer overflow
Action: Patch Immediately
AI Analysis

Impact

The obsolete nis_local_principal function in the GNU C Library (glibc) up to version 2.43 may overflow a static buffer in the data section. This overflow can allow an attacker to craft a malicious UDP response that overwrites neighboring static data used by the requesting application. Such memory corruption can lead to arbitrary code execution or privilege escalation if the overwritten data influences program control flows. The vulnerability is a classic stack or data segment overflow (CWE‑120).

Affected Systems

The affected product is the GNU C Library, also known as glibc. Versions 2.43 and all earlier releases contain the vulnerable nis_local_principal implementation. NIS support was deprecated in glibc 2.26 but is still maintained for legacy use.

Risk and Exploitability

No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score is not provided, but a buffer overflow of this nature is generally considered high impact. Because the exploit requires triggering a UDP request processed by the deprecated NIS function, it is likely limited to environments that still enable NIS. No public exploits have been reported, but the potential for remote code execution exists if an attacker can induce the application to process a crafted NIS response.

Generated by OpenCVE AI on April 20, 2026 at 23:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GNU C Library to the latest release (glibc ≥2.44) which removes the nis_local_principal function.
  • Migrate any applications that use NIS to modern identity and access‑management services.
  • If immediate upgrade is not possible, rebuild or reconfigure glibc to disable NIS support or compile the library without the deprecated NIS components.

Generated by OpenCVE AI on April 20, 2026 at 23:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared The Gnu C Library
The Gnu C Library glibc
Vendors & Products The Gnu C Library
The Gnu C Library glibc

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application. NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.
Title Static buffer overflow in deprecated nis_local_principal
Weaknesses CWE-120
References

Subscriptions

The Gnu C Library Glibc
cve-icon MITRE

Status: PUBLISHED

Assigner: glibc

Published:

Updated: 2026-04-20T20:37:23.178Z

Reserved: 2026-04-01T17:07:51.437Z

Link: CVE-2026-5358

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T21:16:36.713

Modified: 2026-04-20T21:16:36.713

Link: CVE-2026-5358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses