CVE-2026-25506

NameCVE-2026-25506
DescriptionMUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4477-1, DSA-6129-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
munge (PTS)bullseye0.5.14-4vulnerable
bullseye (security)0.5.14-4+deb11u1fixed
bookworm0.5.15-2vulnerable
bookworm (security)0.5.15-2+deb12u1fixed
trixie (security)0.5.16-1.1~deb13u1fixed
forky, trixie0.5.16-1vulnerable
sid0.5.16-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mungesourcebullseye0.5.14-4+deb11u1DLA-4477-1
mungesourcebookworm0.5.15-2+deb12u1DSA-6129-1
mungesourcetrixie0.5.16-1.1~deb13u1DSA-6129-1
mungesource(unstable)0.5.16-1.1

Notes

https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
Fixed by: https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812 (munge-0.5.18)
Search for package or bug name: Reporting problems