CVE-2026-0915: GNU C Library Fixes A Security Issue Present Since 1996 - Phoronix

The GNU C Library (glibc) has patched CVE-2026-0915, a subtle flaw dating back to 1996 that could leak stack data during certain DNS lookups. The fix has landed in the latest glibc Git code and will be included in the next release.

What happened

• Affected APIs: getnetbyaddr and getnetbyaddr_r in the NSS DNS backend.
• Trigger: Supplying a network value of zero, which was never tested, caused DNS queries to be built from uninitialized stack bytes.
• Impact: Limited confidentiality leak of adjacent stack data. While exploitation is uncommon, the leak could aid in bypassing ASLR under specific conditions.

The fix

• Behavior change: When the network value is zero, glibc now constructs a safe default query instead of using uninitialized memory.
• Status: The correcting commit is merged into glibc.git.
• Origin: The problematic code path originated in June 1996.

Related vulnerability

• CVE-2026-0861: Passing overly large alignments to memalign functions could trigger an integer overflow, leading to heap corruption. Introduced in 2019, this issue is also fixed in glibc Git.

What to expect next

• Release timeline: Glibc 2.43 is expected by early February and should include these fixes.

Bottom line
Glibc has addressed a decades-old edge case that could leak small amounts of stack data and a newer heap corruption risk. While practical impact appears limited, updating to the upcoming glibc release is advisable once available.

Source: https://www.phoronix.com/news/Glibc-Security-Fix-For-1996-Bug