7.8

CVE-2026-25506

EPSS 0.02%
Veröffentlicht 10.02.2026 18:55:57
Zuletzt bearbeitet 25.02.2026 17:39:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opensuse ≫ Munge Version >= 0.5 < 0.5.18

Debian ≫ Debian Linux Version11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.048

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.7	1.1	6	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE-787 Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh

Patch

Vendor Advisory

Mitigation

https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812

Patch

https://github.com/dun/munge/releases/tag/munge-0.5.18

Product

Release Notes

http://www.openwall.com/lists/oss-security/2026/02/10/3

Patch

Third Party Advisory

Mailing List

https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html

Third Party Advisory

Mailing List

http://www.openwall.com/lists/oss-security/2026/02/17/6

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-25506

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-25506

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-25506

EUVD