From: Siddhesh Poyarekar Date: Wed, 11 Mar 2026 13:11:44 +0000 (-0400) Subject: Document CVE-2026-3904 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=656d923a47210d0ec56cdbccefa1b0858ea1572e;p=thirdparty%2Fglibc.git Document CVE-2026-3904 All branches already have a fix, so this is mainly for distributions that may have cherry-picked the SSE2 memcmp implementation. Signed-off-by: Siddhesh Poyarekar --- diff --git a/advisories/GLIBC-SA-2026-0004 b/advisories/GLIBC-SA-2026-0004 new file mode 100644 index 0000000000..fd630dc591 --- /dev/null +++ b/advisories/GLIBC-SA-2026-0004 @@ -0,0 +1,30 @@ +nscd client crash on x86_64 under high nscd load + +Calling NSS-backed functions that support caching via nscd may call the +nscd client side code and in the GNU C Library version 2.36 under high +load on x86_64 systems, the client may call memcmp on inputs that are +concurrently modified by other processes or threads and crash. + +The nscd client in the GNU C Library uses the memcmp function with +inputs that may be concurrently modified by another thread, potentially +resulting in spurious cache misses, which in itself is not a security +issue. However in the GNU C Library version 2.36 an optimized +implementation of memcmp was introduced for x86_64 which could crash +when invoked with such undefined behaviour, turning this into a +potential crash of the nscd client and the application that uses it. +This implementation was backported to the 2.35 branch, making the nscd +client in that branch vulnerable as well. Subsequently, the fix for +this issue was backported to all vulnerable branches in the GNU C +Library repository. + +It is advised that distributions that may have cherry-picked the memcpy +SSE2 optimization in their copy of the GNU C Library, also apply the fix +to avoid the potential crash in the nscd client. + +CVE-Id: CVE-2026-3904 +Public-Date: 2026-03-11 +Vulnerable-Commit: 8804157ad9da39631703b92315460808eac86b0c (2.36) +Vulnerable-Commit: 5a8df6485c584e2b0e957ec6b9070437a724911a (2.35-89) +Fix-Commit: b712be52645282c706a5faa038242504feb06db5 (2.37) +Fix-Commit: 93967a2a7bbdcedb73e0b246713580c7c84d001e (2.36-84) +Fix-Commit: 6bcd5d8e3668d52388a6e0580611749f93e6871f (2.35-230)