CVE-2026-5435
Published: 28 April 2026
Summary
CVE-2026-5435 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Gnu Glibc. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-5435 affects the GNU C Library (glibc) versions 2.2 and newer, specifically the deprecated functions ns_printrrf, ns_printrr, and fp_nquery. These functions fail to enforce the caller-supplied buffer length, leading to an out-of-bounds write when printing TSIG records. The vulnerability is classified under CWE-787 (Out-of-bounds Write) and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and ease of exploitation.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation triggers an out-of-bounds write, potentially allowing limited impacts on confidentiality, integrity, and availability, such as partial data disclosure, modification, or service disruption in affected glibc-dependent applications handling TSIG records.
Mitigation details are available in the referenced advisories, including the glibc-announce mailing list post at https://inbox.sourceware.org/libc-announce/7a655d55-276f-41fe-b550-feb3ebb2ce91@redhat.com/T/#u and the Sourceware Bugzilla entry at https://sourceware.org/bugzilla/show_bug.cgi?id=34033.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26036
Vulnerability details
The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to enforce the caller-supplied buffer length, and can result in an out-of-bounds write when printing TSIG records.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable, unauthenticated network vulnerability (out-of-bounds write in glibc DNS functions) that can be triggered against affected applications, directly enabling T1190 Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the out-of-bounds write vulnerability in glibc deprecated functions by identifying, prioritizing, and applying vendor-provided patches.
Implements runtime memory protections like ASLR, DEP, and stack guards that hinder successful exploitation of the buffer overflow when printing TSIG records.
Provides vulnerability scanning to identify systems with vulnerable glibc versions affected by CVE-2026-5435 for timely remediation.