Foundations of Sand: 30-Year-Old glibc Vulnerability Exposed in Linux Core

Occasionally, the most unforeseen vulnerabilities reside not within nascent code, but within foundations that have been deemed unimpeachable for decades. This week, developers disclosed CVE-2026-0915 within the GNU C Library (glibc), a cornerstone of the Linux ecosystem. The flaw persists in code authored as far back as 1996 and has only now received remediation.

The issue pertains to the getnetbyaddr and getnetbyaddr_r functions, which, under specific conditions, could transmit uninitialized stack data to a DNS resolver. Should these functions be invoked with a network value of zero, the resulting DNS query is formulated using stochastic memory content. This precipitates a stack data leak, albeit of a modest magnitude. While the potential compromise to privacy is considered negligible, such an exfiltration could theoretically assist an adversary in circumventing ASLR (Address Space Layout Randomization) mechanisms.

Architects of the library note that exploitation scenarios are exceedingly rare; authentic applications seldom invoke these APIs with a null network value, and the leak remains confined to contiguous stack regions. Nonetheless, it is a point of profound irony that this edge case remained untraversed for nearly thirty years within a library so fundamental to the digital landscape.

The fix has been integrated into the glibc repository, ensuring that a null network value now triggers a predictable default query without accessing uninitialized memory. Concurrently, a second vulnerability, CVE-2026-0861, was revealed. This flaw concerns the memalign functions and manifests when an excessively large alignment value is processed, leading to an integer overflow and subsequent heap corruption. Unlike its predecessor, this defect was introduced more recently, in 2019, and has likewise been rectified.

The release of glibc version 2.43, encompassing both remediations, is anticipated in early February. For the vast majority of users, the ramifications of these flaws will be minimal; however, the narrative serves as a poignant reminder that even the most venerable and ubiquitous components may harbor clandestine errors for generations.