CVE-2026-5358
Description
The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an attacker to spoof a crafted response to a UDP request generated by this function and overwrite neighboring static data in the requesting application. NIS support is obsolete and has been deprecated in the GNU C Library since version 2.26 and is only maintained for legacy usage. Applications should port away from NIS to more modern identity and access management services.
How to fix CVE-2026-5358
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- Debian/glibc—no fix listed
Is CVE-2026-5358 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-5358.
Affected packages (1)
- from 0