34069 – (CVE-2026-6238) Buffer overread in ns_sprintrrf with corrupted RDATA field (CVE-2026-6238)

Bug 34069 (CVE-2026-6238) - Buffer overread in ns_sprintrrf with corrupted RDATA field (CVE-2026-6238)

Summary: Buffer overread in ns_sprintrrf with corrupted RDATA field (CVE-2026-6238)

Status:	ASSIGNED

Alias:	CVE-2026-6238

Product:	glibc
Classification:	Unclassified
Component:	network (show other bugs)
Version:	2.44

Importance:	P2 normal
Target Milestone:	---
Assignee:	Florian Weimer

URL:
Keywords:

Depends on:
Blocks:

Reported:	2026-04-11 20:50 UTC by Florian Weimer
Modified:	2026-04-30 11:01 UTC (History)
CC List:	2 users (show)

See Also:	CVE-2026-5435
Host:
Target:
Build:
Last reconfirmed:
Project(s) to access:
ssh public key:

Flags:	fweimer: security+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Weimer 2026-04-11 20:50:31 UTC

The RDATA length is not validated while parsing LOC, CERT, TKEY, TSIG, and A6 records. Applications using the deprecated ns_sprintrrf, ns_sprintrr, fp_nquery may encounter crashes or read uninitialized memory when processing corrupted DNS packets where the RDATA contents is not structured correctly.

Found while writing a test case for bug 34033.

Comment 1 Florian Weimer 2026-04-30 11:01:26 UTC

Patches posted:

[PATCH 0/5] Fixes for CVE-2026-5435, CVE-2026-6238
<https://inbox.sourceware.org/libc-alpha/cover.1777546194.git.fweimer@redhat.com/>