{
  "threat_severity" : "Low",
  "public_date" : "2026-03-20T19:59:06Z",
  "bugzilla" : {
    "description" : "glibc: glibc: Invalid DNS hostname returned via gethostbyaddr functions",
    "id" : "2449783",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2449783"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-838",
  "details" : [ "Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.", "A flaw was found in the GNU C library (glibc). When applications use the `gethostbyaddr` or `gethostbyaddr_r` functions with a `nsswitch.conf` configuration that specifies glibc's DNS backend, the library may return an invalid DNS hostname. This violates the DNS specification and could lead to applications receiving incorrect hostname information, potentially impacting network operations or security decisions." ],
  "statement" : "This is a LOW impact flaw where glibc's `gethostbyaddr` and `gethostbyaddr_r` functions may return an invalid DNS hostname. This occurs when applications use a `nsswitch.conf` configuration that specifies glibc's DNS backend. This could lead to applications receiving incorrect hostname information, potentially affecting network operations or security decisions on Red Hat Enterprise Linux and OpenShift Container Platform.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-05-19T00:00:00Z",
    "advisory" : "RHSA-2026:19061",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "glibc-0:2.39-121.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:20597",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "glibc-0:2.34-270.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-05-26T00:00:00Z",
    "advisory" : "RHSA-2026:20597",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "glibc-0:2.34-270.el9_8"
  }, {
    "product_name" : "Cost Management 4",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:27998",
    "cpe" : "cpe:/a:redhat:cost_management:4::el9",
    "package" : "costmanagement/costmanagement-metrics-rhel9-operator:1780946239"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-09T00:00:00Z",
    "advisory" : "RHSA-2026:7316",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "glibc-main-2.42-11.1.hum1"
  }, {
    "product_name" : "Red Hat Insights proxy 1.5",
    "release_date" : "2026-06-02T00:00:00Z",
    "advisory" : "RHSA-2026:22634",
    "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9",
    "package" : "insights-proxy/insights-proxy-container-rhel9:1780420428"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26319",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:1781525684"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26319",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/haproxy-rhel9:1781525671"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26319",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-rhel9:1781525693"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-06-16T00:00:00Z",
    "advisory" : "RHSA-2026:26319",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:1781525739"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "compat-glibc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "glibc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "compat-glibc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "glibc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "glibc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-4438\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4438\nhttps://sourceware.org/bugzilla/show_bug.cgi?id=34015" ],
  "name" : "CVE-2026-4438",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}