Description
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory.

These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
Published: 2026-04-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The glibc functions ns_printrrf, ns_printrr, and fp_nquery do not validate the length of the RDATA field against the actual data present in a DNS response when handling LOC, CERT, TKEY, or TSIG records. An attacker who can influence a DNS response destined for an application that calls one of these functions could trigger a buffer overread, causing the application to read uninitialized memory or crash. This vulnerability corresponds to CWE-126 (Uninitialized Memory Read) and CWE-1284 (Buffer Over-read) and represents an uninitialized memory read that is potentially exploitable for denial of service or information disclosure.

Affected Systems

Affected vendor: GNU C Library (glibc). All glibc releases from version 2.2 onward contain the vulnerable functions. The functions were deprecated in glibc 2.34, but remain in the code base for backward compatibility. Any application that calls these debugging functions—usually for diagnostic purposes—may be affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate impact. The EPSS score of less than 1% shows a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers could craft a DNS response containing corrupted RDATA for LOC, CERT, TKEY, or TSIG records that is processed by an application using the deprecated debug functions ns_printrrf, ns_printrr, or fp_nquery. Because these functions are intended only for debugging and normally not called by the DNS resolver, the exploitation path is narrow; an attacker would need to trigger the use of these functions in a live application. If an application does not invoke them, the risk is effectively zero. When invoked, the vulnerability can cause a buffer overread that may lead to a crash or unintended disclosure of memory contents.

Generated by OpenCVE AI on May 6, 2026 at 01:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Refactor application code to eliminate calls to ns_printrrf, ns_printrr, and fp_nquery; use standard DNS resolution APIs instead
  • Upgrade to the latest available glibc release, which may remove or disable these deprecated debug functions
  • If the functions must remain for legacy diagnostics, compile the application with the NDEBUG or equivalent macro to disable debug-mode DNS queries

Generated by OpenCVE AI on May 6, 2026 at 01:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat hummingbird
Weaknesses CWE-1284
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat
Redhat hummingbird
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 04 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu glibc
CPEs cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu glibc

Tue, 28 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Tue, 28 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared The Gnu C Library
The Gnu C Library glibc
Vendors & Products The Gnu C Library
The Gnu C Library glibc

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.
Title Buffer overread in ns_printrrf with corrupted RDATA field
Weaknesses CWE-126
References

Subscriptions

Gnu Glibc
Redhat Hummingbird
The Gnu C Library Glibc
cve-icon MITRE

Status: PUBLISHED

Assigner: glibc

Published:

Updated: 2026-04-28T18:51:25.367Z

Reserved: 2026-04-13T16:56:08.986Z

Link: CVE-2026-6238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T19:37:47.523

Modified: 2026-05-04T17:57:24.007

Link: CVE-2026-6238

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-28T16:43:08Z

Links: CVE-2026-6238 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T02:00:12Z

Weaknesses