CVE-2026-4438

Publication date 20 March 2026

Last updated 6 June 2026

Ubuntu priority

Cvss 3 Severity Score

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
eglibc	26.04 LTS resolute	Not in release
	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	14.04 LTS trusty	Needs evaluation
glibc	26.04 LTS resolute	Vulnerable
	25.10 questing	Vulnerable
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected

Notes

mdeslaur

introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=e32547d661a43da63368e488b6cfa9c53b4dcf92 same commit as CVE-2026-4437

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
glibc	Upstream: https://sourceware.org/git/?p=glibc.git;a=commit;h=9f5f18aab40ec6b61fa49a007615e6077e9a979b

Severity score breakdown

CVSS version: CVSS v3.0

Base score 5.4 · Medium

Base metrics

Parameter	Value
Attack vector	Adjacent
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality impact	Low
Integrity impact	Low
Availability impact	None

Scores

Parameter	Value
Base score	5.4 · Medium
Exploitability score	-
Impact score	-

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N