-Static buffer overflow in deprecated nis_local_principal
+REJECTED: Static buffer overflow in deprecated nis_local_principal
-The obsolete nis_local_principal function in the GNU C Library version
-2.43 and older may overflow a buffer in the data section, which could
-allow an attacker to spoof a crafted response to a UDP request generated
-by this function and overwrite neighboring static data in the requesting
-application.
+REJECTED: CVE-2026-5358 is rejected for two reasons. Firstly it has been
+discovered that no NIS+ client or server was ever released for any
+Linux-based OS distributions and as such this makes the API provisional
+and unused. Secondly it has been discovered that the NIS+ cold start
+cache (/var/nis/NIS_COLD_START) cannot be bypassed and as such the API
+can only be called with a trusted server from the pre-populated cache.
+The use of a trusted server means no trust boundary is crossed and this
+is therefore considered a normal bug.
-NIS support is obsolete and has been deprecated in the GNU C Library
-since version 2.26 and is only maintained for legacy usage. Applications
-should port away from NIS to more modern identity and access management
-services.
+NIS+ support in the GNU C Library was never officially supported even
+though an incomplete implementation of the APIs was made pulibc. To the
+best knowledge of the glibc security team no open-source NIS+ server
+implementations were ever released for use with this API. Applications
+should not use any of the NIS+ APIs and should move to modern identity
+and access management services.
CVE-Id: CVE-2026-5358
Public-Date: 2026-04-10
+Rejected-Date: 2026-04-33
Reported-by: Rahul Hoysala
projects / thirdparty / glibc.git / commitdiff
