Document CVE-2026-6238

author Siddhesh Poyarekar <siddhesh@gotplt.org>

Mon, 27 Apr 2026 22:29:26 +0000 (18:29 -0400)

committer Siddhesh Poyarekar <siddhesh@gotplt.org>

Mon, 27 Apr 2026 22:29:26 +0000 (18:29 -0400)
author Siddhesh Poyarekar <siddhesh@gotplt.org>
Mon, 27 Apr 2026 22:29:26 +0000 (18:29 -0400)
committer Siddhesh Poyarekar <siddhesh@gotplt.org>
Mon, 27 Apr 2026 22:29:26 +0000 (18:29 -0400)
diff --git a/advisories/GLIBC-SA-2026-0012 b/advisories/GLIBC-SA-2026-0012

new file mode 100644 (file)

index 0000000..29498d9
--- /dev/null
+++ b/advisories/GLIBC-SA-2026-0012
@@ -0,0 +1,18 @@
+Buffer overread in ns_printrrf with corrupted RDATA field
+
+The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the
+GNU C Library version 2.2 and newer fail to validate the RDATA content
+against the RDATA length in a DNS response when processing LOC, CERT,
+TKEY or TSIG records, which may allow an attacker to craft a DNS
+response, causing a target application to crash or read uninitialized
+memory.
+
+These functions are for debugging only and hence not in the default path
+of code executed by the DNS resolver.  Further, they have been
+deprecated since version 2.34 and should not be used by any new
+applications.  Applications should consider porting away from these
+interfaces since they may be removed in future versions.
+
+CVE-Id: CVE-2026-6238
+Public-Date: 2026-04-11
+Vulnerable-Commit: b43b13ac2544b11f35be301d1589b51a8473e32b (2.1.1-735)
author	Siddhesh Poyarekar <siddhesh@gotplt.org>
	Mon, 27 Apr 2026 22:29:26 +0000 (18:29 -0400)
committer	Siddhesh Poyarekar <siddhesh@gotplt.org>
	Mon, 27 Apr 2026 22:29:26 +0000 (18:29 -0400)