CVE-2026-6238 | Buffer overread in ns_printrrf with corrupted RDATA field

The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA length in a DNS response when processing LOC, CERT, TKEY or TSIG records, which may allow an attacker to craft a DNS response, causing a target application to crash or read uninitialized memory. These functions are for application debugging only and hence not in the path of code executed by the DNS resolver. Further, they have been deprecated since version 2.34 and should not be used by any new applications. Applications should consider porting away from these interfaces since they may be removed in future versions.

Published: 2026-04-28 Last update: 2026-05-04 Assigner: 3ff69d7a-14f2-4f67-a097-88dee7810d18 Source: 3ff69d7a-14f2-4f67-a097-88dee7810d18
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2026-6238 is rated Low Risk (29.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.04%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2026-6238

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-04-29 0.04%

Full EPSS history (1 record total)

Common vulnerability scoring system (CVSS) metrics for CVE-2026-6238

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.5 3.1 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
 3.9 2.5 134c704f-9b21-4f2e-91b3-4a467353bcc0

Weakness enumeration for CVE-2026-6238

GitHub Security Advisory for CVE-2026-6238

GHSA-h8wx-jcwq-g3cp · Severity: medium — The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2...

OS Trackers for CVE-2026-6238

vendor priority summary link
debian not yet assigned CVE-2026-6238 not yet assigned priority: Debian including 1 source packages (glibc), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 5. https://security-tracker.debian.org/tracker/CVE-2026-6238
suse medium CVE-2026-6238 severity moderate: SUSE including 15 source package names (cross-aarch64-linux-glibc-devel, cross-arm-linux-glibc-devel, …), 45 product×package rows across 29 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (29 product lines)): Known Not Affected 45. https://www.suse.com/security/cve/CVE-2026-6238/
ubuntu medium CVE-2026-6238 medium priority: Ubuntu including 2 source packages (eglibc, glibc), 14 status rows across 9 suites (bionic, focal, jammy, noble, questing, resolute, trusty, upstream, xenial): needs-triage 10, DNE 4. https://ubuntu.com/security/CVE-2026-6238

Affected software / configurations for CVE-2026-6238

Vendor Product Version Raw CPE
gnu glibc >= 2.2 cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*

References for CVE-2026-6238

cvelogic Threat Intelligence