In resolv/nss_dns/dns-host.c (getanswer_ptr) 805 static enum nss_status 806 getanswer_ptr (unsigned char *packet, size_t packetlen, 807 struct alloc_buffer *abuf, char **hnamep, 808 int *errnop, int *h_errnop, int32_t *ttlp) 809 { 810 struct ns_rr_cursor c; 811 if (!__ns_rr_cursor_init (&c, packet, packetlen)) 812 { 813 /* This should not happen because __res_context_query already 814 performs response validation. */ 815 *h_errnop = NO_RECOVERY; 816 return NSS_STATUS_UNAVAIL; 817 } 818 int ancount = ns_rr_cursor_ancount (&c); 819 const unsigned char *expected_name = ns_rr_cursor_qname (&c); 820 /* expected_name may be updated to point into this buffer. */ 821 unsigned char name_buffer[NS_MAXCDNAME]; 822 823 while (ancount > 0) 824 { A defect in the getanswer_ptr function, which implements the iteration and extraction of the answer from the DNS response, can cause it to incorrectly transition from the answer section to the next section while still treating it as an answer to the question. This can happen when the answer contains only skipped records, and the subsequent section contains a semantically invalid T_PTR record. This is considered a security issue because it is a violation of the DNS specification that leads to incorrect behaviour that could result in the wrong hostname being returned to the caller. At the time of publication, no known affected DNS server returns results that would be incorrectly interpreted by the library. An attacker would either need to be network adjacent or have compromised the DNS server to use this defect to hide returned reverse DNS results from intrusion detection systems. Even then, the inbound connection from the attacker, or the outbound connection from the application, would be visible to the intrusion detection system. At best, the defect can be used to obfuscate and delay analysis of the evolving threat. Two other instances iterate ancount records correctly: getanswer_r (line 741): for (; ancount > 0; --ancount) gaih_getanswer_slice (line 932): for (; ancount > -0; --ancount) The solution is to use the same pattern in this case. Reported-by: Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me Reported-by: Kevin Farrell
The glibc security team has reviewed this and evaluated that it has security impact. Setting security+ and assigning CVE-2026-4437.
I have a patch and regression test case ready for this and will post to libc-alpha shortly.
Patch posted: https://inbox.sourceware.org/libc-alpha/20260320194250.1089143-1-carlos@redhat.com/
Advisory text is out for review: https://inbox.sourceware.org/libc-alpha/20260320194804.1089897-1-carlos@redhat.com/
commit 9f5f18aab40ec6b61fa49a007615e6077e9a979b Author: Carlos O'Donell <carlos@redhat.com> Date: Fri Mar 20 16:43:33 2026 -0400 resolv: Count records correctly (CVE-2026-4437) The answer section boundary was previously ignored, and the code in getanswer_ptr would iterate past the last resource record, but not beyond the end of the returned data. This could lead to subsequent data being interpreted as answer records, thus violating the DNS specification. Such resource records could be maliciously crafted and hidden from other tooling, but processed by the glibc stub resolver and acted upon by the application. While we trust the data returned by the configured recursive resolvers, we should not trust its format and should validate it as required. It is a security issue to incorrectly process the DNS protocol. A regression test is added for response section crossing. No regressions on x86_64-linux-gnu. Reviewed-by: Collin Funk <collin.funk1@gmail.com>