CVE-2026-3904
CVE-2026-3904 is a medium-severity vulnerability in Gnu Glibc with a CVSS 3.x base score of 6.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-366.
Key facts
- Severity: Medium (CVSS 3.x base score 6.2)
- EPSS exploit prediction: 0% (4th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-11160
- Weakness: CWE-366
- Affected product: Gnu Glibc
- Published:
- Last modified:
Description
Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue. However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well. Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository. It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client.
Frequently asked questions
- What is CVE-2026-3904?
- Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x86_64 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the GNU C Library uses the memcmp function with inputs that may be concurrently modified by another thread, potentially resulting in spurious cache misses, which in itself is not a security issue. However in the GNU C Library version 2.36 an optimized implementation of memcmp was introduced for x86_64 which could crash when invoked with such undefined behaviour, turning this into a potential crash of the nscd client and the application that uses it. This implementation was backported to the 2.35 branch, making the nscd client in that branch vulnerable as well. Subsequently, the fix for this issue was backported to all vulnerable branches in the GNU C Library repository. It is advised that distributions that may have cherry-picked the memcpy SSE2 optimization in their copy of the GNU C Library, also apply the fix to avoid the potential crash in the nscd client.
- How severe is CVE-2026-3904?
- CVE-2026-3904 has a CVSS 3.x base score of 6.2, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-3904 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (4th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-3904?
- CVE-2026-3904 affects Gnu Glibc. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-3904?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-3904 have an EU (EUVD) identifier?
- Yes. CVE-2026-3904 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-11160.
- When was CVE-2026-3904 published?
- CVE-2026-3904 was published on 2026-03-11 and last updated on 2026-06-17.
References
- https://sourceware.org/bugzilla/show_bug.cgi?id=29863
- https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0004;hb=HEAD
- https://sourceware.org/git/?p=glibc.git;a=commit;h=8804157ad9da39631703b92315460808eac86b0c
- https://sourceware.org/git/?p=glibc.git;a=commit;h=b712be52645282c706a5faa038242504feb06db5
- http://www.openwall.com/lists/oss-security/2026/03/11/5
Affected products (1)
- cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*
More vulnerabilities in Gnu Glibc
- CVE-2015-0235 — Critical (CVSS 10.0): Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18,…
- CVE-2026-5450 — Critical (CVSS 9.8): Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version…
- CVE-2023-25139 — Critical (CVSS 9.8): sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct…
- CVE-2022-23219 — Critical (CVSS 9.8): The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34…
- CVE-2022-23218 — Critical (CVSS 9.8): The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34…
- CVE-2021-33574 — Critical (CVSS 9.8): The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the…
All CVEs affecting Gnu Glibc →
Other CWE-366 vulnerabilities
- CVE-2025-58143 — Critical (CVSS 9.8): [This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to…
- CVE-2025-31115 — High (CVSS 8.7): XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0,…
- CVE-2026-46181 — High (CVSS 7.8): In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx4: Fix mis-use of RCU in…
- CVE-2024-10630 — High (CVSS 7.8): A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to…
- CVE-2023-6546 — High (CVSS 7.0): A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. This issue occurs when two threads…
- CVE-2026-22819 — Medium (CVSS 5.9): Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more…