CVE-2026-6238: CWE-126 Buffer over-read in The GNU C Library glibc
CVE-2026-6238 is a medium severity buffer over-read vulnerability in the GNU C Library (glibc) affecting deprecated debugging functions ns_printrrf, ns_printrr, and fp_nquery. These functions fail to properly validate RDATA content length in DNS responses for certain record types, potentially causing crashes or reading uninitialized memory. The vulnerable functions are deprecated since glibc version 2.34 and are not used by the DNS resolver code path. No official patch or remediation level has been provided yet, and no known exploits are reported in the wild.
AI Analysis
Technical Summary
The vulnerability exists in the deprecated debugging functions ns_printrrf, ns_printrr, and fp_nquery in glibc versions 2.2 and newer. These functions do not validate the RDATA content length against the actual RDATA length when processing LOC, CERT, TKEY, or TSIG DNS records. This can lead to buffer over-read conditions, causing application crashes or exposure of uninitialized memory. Since these functions are intended only for debugging and have been deprecated since version 2.34, they are not part of the DNS resolver's execution path and should not be used in new applications. The vulnerability is classified under CWE-126 (Buffer Over-read) and carries a CVSS 3.1 score of 6.5 (medium severity).
Potential Impact
An attacker capable of crafting malicious DNS responses with specially crafted LOC, CERT, TKEY, or TSIG records could trigger a buffer over-read in applications using the affected deprecated debugging functions, potentially causing crashes or reading uninitialized memory. However, since these functions are deprecated and not used by the DNS resolver, the practical impact is limited to applications explicitly invoking these debugging interfaces.
Mitigation Recommendations
No official patch or remediation level has been provided by the vendor yet. Applications should avoid using the deprecated functions ns_printrrf, ns_printrr, and fp_nquery, as they have been deprecated since glibc version 2.34 and may be removed in future releases. Consider porting applications away from these interfaces to eliminate exposure. Monitor the vendor advisory for updates on official fixes or guidance.
CVE-2026-6238: CWE-126 Buffer over-read in The GNU C Library glibc
Description
CVE-2026-6238 is a medium severity buffer over-read vulnerability in the GNU C Library (glibc) affecting deprecated debugging functions ns_printrrf, ns_printrr, and fp_nquery. These functions fail to properly validate RDATA content length in DNS responses for certain record types, potentially causing crashes or reading uninitialized memory. The vulnerable functions are deprecated since glibc version 2.34 and are not used by the DNS resolver code path. No official patch or remediation level has been provided yet, and no known exploits are reported in the wild.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the deprecated debugging functions ns_printrrf, ns_printrr, and fp_nquery in glibc versions 2.2 and newer. These functions do not validate the RDATA content length against the actual RDATA length when processing LOC, CERT, TKEY, or TSIG DNS records. This can lead to buffer over-read conditions, causing application crashes or exposure of uninitialized memory. Since these functions are intended only for debugging and have been deprecated since version 2.34, they are not part of the DNS resolver's execution path and should not be used in new applications. The vulnerability is classified under CWE-126 (Buffer Over-read) and carries a CVSS 3.1 score of 6.5 (medium severity).
Potential Impact
An attacker capable of crafting malicious DNS responses with specially crafted LOC, CERT, TKEY, or TSIG records could trigger a buffer over-read in applications using the affected deprecated debugging functions, potentially causing crashes or reading uninitialized memory. However, since these functions are deprecated and not used by the DNS resolver, the practical impact is limited to applications explicitly invoking these debugging interfaces.
Mitigation Recommendations
No official patch or remediation level has been provided by the vendor yet. Applications should avoid using the deprecated functions ns_printrrf, ns_printrr, and fp_nquery, as they have been deprecated since glibc version 2.34 and may be removed in future releases. Consider porting applications away from these interfaces to eliminate exposure. Monitor the vendor advisory for updates on official fixes or guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- glibc
- Date Reserved
- 2026-04-13T16:56:08.986Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f1649ccbff5d861047ed13
Added to database: 4/29/2026, 1:53:32 AM
Last enriched: 6/3/2026, 9:19:10 PM
Last updated: 6/13/2026, 11:49:36 AM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.