Bug#1125748: glibc: CVE-2026-0915

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1125748: glibc: CVE-2026-0915
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 16 Jan 2026 22:50:35 +0100
Message-id: <[🔎] 176860023599.40118.8102680508164090111.reportbug@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1125748@bugs.debian.org

Source: glibc
Version: 2.42-7
Severity: important
Tags: security upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=33802
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 2.41-12+deb13u1
Control: found -1 2.41-12
Control: found -1 2.36-9+deb12u13
Control: found -1 2.36-9+deb12u7
Control: found -1 2.36-9

Hi,

The following vulnerability was published for glibc.

CVE-2026-0915[0]:
| Calling getnetbyaddr or getnetbyaddr_r with a configured
| nsswitch.conf that specifies the library's DNS backend for networks
| and queries for a zero-valued network in the GNU C Library version
| 2.0 to version 2.42 can leak stack contents to the configured DNS
| resolver.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-0915
    https://www.cve.org/CVERecord?id=CVE-2026-0915
[1] https://sourceware.org/bugzilla/show_bug.cgi?id=33802

Regards,
Salvatore

Reply to:

Follow-Ups:
- Processed: glibc: CVE-2026-0915
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1125748: marked as done (glibc: CVE-2026-0915)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processing of glibc_2.42-8_source.changes
Next by Date: Processed: glibc: CVE-2026-0915
Previous by thread: Processing of glibc_2.42-8_source.changes
Next by thread: Processed: glibc: CVE-2026-0915
Index(es):
- Date
- Thread