CVE-2026-25506
- ULN >
- Oracle Linux CVE repository >
- CVE-2026-25506
CVE Details
| Release Date: | 2026-02-10 | |
| Impact: | Important | What is this? |
Description
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
See more information about CVE-2026-25506 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 7.7 |
| Vector String: | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | High |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Changed |
| Confidentiality Impact: | High |
| Integrity Impact: | High |
| Availability Impact: | Low |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 10 (munge) | ELSA-2026-3033 | 2026-02-23 |
| Oracle Linux version 8 (munge) | ELSA-2026-3032 | 2026-02-23 |
| Oracle Linux version 9 (munge) | ELSA-2026-3034 | 2026-02-23 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
