CVE-2026-4437
Published: 20 March 2026
Summary
CVE-2026-4437 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Gnu Glibc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring identification, reporting, and correction of the glibc flaw through timely patching of affected versions 2.34 to 2.43.
Enables scanning and monitoring to identify systems running vulnerable glibc versions affected by the DNS response parsing flaw.
Provides secure recursive or caching DNS resolvers that validate responses, mitigating crafted DNS packets exploiting the glibc parsing violation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote crafted DNS responses to trigger out-of-bounds read crashes in glibc DNS functions (gethostbyaddr), directly facilitating application/system exploitation for endpoint denial of service (high availability impact, no auth/UI required).
NVD Description
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the…
more
DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
Deeper analysisAI
CVE-2026-4437 is a vulnerability in the GNU C Library (glibc) versions 2.34 through 2.43. It affects applications calling the gethostbyaddr or gethostbyaddr_r functions when nsswitch.conf is configured to use the library's DNS backend. A crafted response from the configured DNS server can violate the DNS specification, causing the application to treat a non-answer section of the DNS response as a valid answer. The issue is classified as CWE-125 (Out-of-bounds Read) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote attacker can exploit this vulnerability without privileges or user interaction by controlling or spoofing responses from the target system's configured DNS server. The low attack complexity enables network-based exploitation, resulting in high availability impact, such as application crashes or denial of service.
Mitigation details are documented in the Sourceware Bugzilla advisory at https://sourceware.org/bugzilla/show_bug.cgi?id=34014.
Details
- CWE(s)