CVE-2026-0915 was published on Friday as a security issue with the GNU C Library “glibc” for code introduced 30 years ago. The latest Glibc Git code is now patched for this issue introduced in 1996.
The oss-security bulletin sums up the issue as the getnetbyaddr and getnetbyaddr_r functions leaking the stack contents to the DNS resovler. It does note though that it is rare to call these APIs with a network value of zero and for an attacker to take advantage of this issue it can only leak the adjacent stack. The loss of confidentiality is ultimately limited but could be used to help in an address space layout randomization (ASLR) bypass. Thankfully at least the scope is rather limited and should ultimately have minimal impact but rather surprising it took 30 years for a zero value case to be tested and in turn properly handled by this very important library.
The NSS DNS back-end is now fixed in Glibc as it turns out a network value of zero was never tested and can result in the DNS query being constructed from uninitialized stack bytes. With the newest Glibc code, a default query is now constructed for cases where the default network value is zero.
The issue is fixed by this Git commit now in glibc.git. The problematic code introduced this problem happened all the way back in June 1996.
CVE-2026-0861 was also disclosed this week for Glibc where passing too large of an alignment to glibc’s memalign functions could result in an integer overflow and in turn heap corruption. At least that problematic code was only introduced back in 2019 and is also now fixed in Glibc Git.
Glibc 2.43 is expected to be released by early February as the next scheduled update to the GNU C Library.
