resolv/nss_dns/dns-host.c (getanswer_ptr): 855 else if (rr.rtype == T_PTR 856 && __ns_samebinaryname (rr.rname, expected_name)) 857 { 858 /* Decompress the target of the PTR record. This is the 859 host name we are looking for. We can only use it if it 860 is syntactically valid. Historically, only one host name 861 is returned here. If the recursive resolver performs DNS 862 record rotation, the returned host name is essentially 863 random, which is why multiple PTR records are rarely 864 used. Use MAXHOSTNAMELEN instead of NS_MAXCDNAME for 865 additional length checking. */ 866 char hname[MAXHOSTNAMELEN + 1]; 867 if (__ns_name_unpack (c.begin, c.end, rr.rdata, 868 name_buffer, sizeof (name_buffer)) < 0 869 || !__res_binary_hnok (expected_name) 870 || __ns_name_ntop (name_buffer, hname, sizeof (hname)) < 0) 871 { 872 *h_errnop = NO_RECOVERY; 873 return NSS_STATUS_UNAVAIL; 874 } 875 /* Successful allocation is checked by the caller. */ 876 *hnamep = alloc_buffer_copy_string (abuf, hname); 877 return NSS_STATUS_SUCCESS; 878 } A defect in the getanswer_ptr function, which implements the iteration and extraction of the answer from a DNS response, can cause it to accept an invalid DNS hostname that can contain shell metacharacters. An application that uses the returned hostname in a shell, without guarding for shell expansion, may be subject to shell injection attacks. At the time of publication, no known affected DNS server returns results with shell metacharacters in the results. An attacker would either need to be network adjacent or have compromised the DNS server to use this defect for shell injection. No known vulnerable application has been identified. The fix is to call __res_binary_hnok(name_buffer) instead of against the expected_name (which came from the question section). Reported-by: Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me
The glibc security team has reviewed this and evaluated that it has security impact. Setting security+ and assigning CVE-2026-4438.
I have a patch and regression test case ready for this and will post to libc-alpha shortly.
Patch posted: https://inbox.sourceware.org/libc-alpha/20260320194250.1089143-1-carlos@redhat.com/
Advisory text is out for review: https://inbox.sourceware.org/libc-alpha/20260320194804.1089897-2-carlos@redhat.com/
commit e10977481f4db4b2a3ce34fa4c3a1e26651ae312 Author: Carlos O'Donell <carlos@redhat.com> Date: Fri Mar 20 17:14:33 2026 -0400 resolv: Check hostname for validity (CVE-2026-4438) The processed hostname in getanswer_ptr should be correctly checked to avoid invalid characters from being allowed, including shell metacharacters. It is a security issue to fail to check the returned hostname for validity. A regression test is added for invalid metacharacters and other cases of invalid or valid characters. No regressions on x86_64-linux-gnu. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>