CVE-2026-4438 PUBLISHED

gethostbyaddr and gethostbyaddr_r return invalid DNS hostnames

Assigner: glibc
Reserved: 19.03.2026 Published: 20.03.2026 Updated: 20.03.2026

Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.

Product Status

Vendor	The GNU C Library
Product	glibc
Versions	Default: unaffected affected from 2.34 to 2.43 (incl.)

Credits

Antonio Maini (0rbitingZer0) - 0rbitingZer0@proton.me finder

References

https://sourceware.org/bugzilla/show_bug.cgi?id=34015

Problem Types

CWE-20 Improper input validation CWE

Impacts

CAPEC-142 DNS Cache Poisoning