Three Silent Vulnerabilities Discovered in the glibc Core

The core of many Linux-based operating systems is facing a series of security challenges. Recent advisories for the GNU C Library (glibc) have disclosed three distinct vulnerabilities ranging from heap overflows to memory disclosure flaws. While some impact legacy systems, others target common functions used in modern application development.

A static buffer overflow, tracked as CVE-2026-5358, has been discovered in the nis_local_principal function. This vulnerability affects glibc version 2.43 and older.

An attacker can spoof a crafted response to a UDP request generated by this function. This can lead to overwriting neighboring static data within the requesting application.

NIS support has been deprecated since version 2.26 and is only maintained for legacy purposes. The advisory explicitly states that “applications should port away from NIS to more modern identity and access management services”.

A heap buffer overflow, tracked as CVE-2026-5450, exists within the scanf family of functions when using the %mc (malloc’d character match) specifier. This affects versions 2.7 through 2.43.

A bug in the buffer growth formula in _vfscanf_internal causes the system to under-allocate memory by exactly one byte during expansion. An attacker can achieve a controlled single-byte overwrite past the end of the heap buffer.

Real-world impact may be limited, as the %[width]mc format specifier “does not appear to have notable use in major Linux-based OS distributions”.

The ungetwc function, used for pushing back wide characters into a stream, is vulnerable to a potential buffer under-read (CVE-2026-5928). This impacts glibc version 2.43 and earlier.

A bug in the wide character pushback implementation causes ungetwc() to incorrectly operate on the regular character buffer instead of the wide-stream read pointer. This may result in an “unintentional disclosure of neighboring data in the heap, or a program crash”.

The crash specifically occurs if the regular character buffer is uninitialized and points to NULL. Notably, this under-read cannot be triggered when using standard Unicode character sets.

While many of these vulnerabilities require specific, often “bespoke” use cases to exploit, they represent a significant risk to the stability and security of the Linux ecosystem. Developers and system administrators are encouraged to update their GNU C Library to a version beyond 2.43 to mitigate these risks.