Fluid Attacks Database

Description

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel9	glibc	<0:2.34-270.el9_8	0:2.34-270.el9_8
debian 12	glibc	=2.36-9 \|\| =2.36-9+deb12u1 \|\| =2.36-9+deb12u10 \|\| =2.36-9+deb12u11 \|\| =2.36-9+deb12u12 \|\| =2.36-9+deb12u13 \|\| =2.36-9+deb12u2 \|\| =2.36-9+deb12u3 \|\| =2.36-9+deb12u4 \|\| =2.36-9+deb12u5 \|\| =2.36-9+deb12u6 \|\| =2.36-9+deb12u7 \|\| =2.36-9+deb12u8 \|\| =2.36-9+deb12u9 \|\| >=0 <2.36-9+deb12u14	2.36-9+deb12u14
rpm rhel8	glibc	-	-
rpm rhel6	compat-glibc	-	-
rpm rhel10	glibc	<0:2.39-121.el10_2	0:2.39-121.el10_2
debian 13	glibc	=2.41-12 \|\| =2.41-12+deb13u1 \|\| =2.41-12+deb13u2 \|\| >=0 <2.41-12+deb13u3	2.41-12+deb13u3
debian 14	glibc	=2.41-12 \|\| =2.41-13~hurd.0 \|\| =2.41-13~hurd.1 \|\| =2.42-1 \|\| =2.42-10 \|\| =2.42-11 \|\| =2.42-12 \|\| =2.42-12~hurd.1 \|\| =2.42-13 \|\| =2.42-14~hurd.1 \|\| =2.42-2 \|\| =2.42-3 \|\| =2.42-4 \|\| =2.42-5 \|\| =2.42-6 \|\| =2.42-7 \|\| =2.42-8 \|\| =2.42-8~hurd.1 \|\| =2.42-8~hurd.2 \|\| =2.42-9 \|\| >=0 <2.42-14	2.42-14
rpm rhel7	compat-glibc	-	-
rpm rhel6	glibc	-	-
rpm rhel7	glibc	-	-

Aliases

1. CVE-2026-44372. NVD-2026-44373. OSV-2026-44374. OSV-DEBIAN-2026-44375. SECURITY-TRACKER-CVE-2026-4437

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.