CVE 9.1 CRITICAL

Static buffer overflow in deprecated nis_local_principal_CVE-2026-5358

April 21, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Description

The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application.

NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.

AI Analysis

Static buffer overflow in deprecated nis_local_principal function

Basic Information

ID CVE-2026-5358

Source glibc

Published Apr 20, 2026 at 20:37

Modified Apr 21, 2026 at 19:50

Affected Product

Vendor The GNU Project

Product glibc

Version 2.43 and older

Affected Versions The GNU C Library glibc 0

CWE Classification

CWE-120

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor The GNU Project

Product GNU C Library

Version 2.43 and older

References

sourceware.org /bugzilla/show_bug.cgi

{
    "lastseen": "",
    "description": "The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application.\n\nNIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.",
    "published": "2026-04-20T20:37:23.178Z",
    "modified": "2026-04-21T19:50:06.251Z",
    "type": "cve",
    "title": "Static buffer overflow in deprecated nis_local_principal",
    "source": "glibc",
    "references": "https://sourceware.org/bugzilla/show_bug.cgi?id=34067",
    "id": "CVE-2026-5358",
    "bulletinFamily": "",
    "cwe": [
        "CWE-120"
    ],
    "cvelist": null,
    "sourceData": "The GNU C Library glibc 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "glibc",
    "version": "2.43 and older",
    "vendor": "The GNU Project",
    "ai_description": "Static buffer overflow in deprecated nis_local_principal function",
    "ai_severity": "Critical",
    "ai_vendor": "The GNU Project",
    "ai_product": "GNU C Library",
    "ai_version": "2.43 and older",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply