CVE-2026-0915

Name of the Vulnerable Software and Affected Versions GNU C Library versions 2.0 through 2.42

Description The GNU C Library contains a flaw where calling getnetbyaddr or getnetbyaddr r with a configured nsswitch.conf that specifies the library's DNS backend for networks, and querying for a zero-valued network, can lead to the disclosure of stack contents to the configured DNS resolver. This can potentially bypass Address Space Layout Randomization (ASLR), leak credentials, expose cryptographic keys, and facilitate the exploitation of other memory corruption flaws. The issue stems from insufficient validation in the glibc DNS resolution functions, causing uninitialized stack memory to be transmitted to DNS resolvers. The functions getnetbyaddr() and getnetbyaddr r() are implicated in this information exposure.

Recommendations Update to glibc version 2.43 or later when available via distribution security updates. Modify /etc/nsswitch.conf to remove DNS from network resolution (networks: files). Audit DNS traffic for anomalous queries and review applications invoking network resolution functions with zero parameters.