DescriptionA flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1051958

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)bullseye (security), bullseye2.31-13+deb11u10fixed
bookworm, bookworm (security)2.36-9+deb12u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsourcebuster(not affected)
glibcsourcebullseye(not affected)


[bullseye] - glibc <not-affected> (Vulnerable code not present)
[buster] - glibc <not-affected> (Vulnerable code not present)
Introduced by:;a=commitdiff;h=f282cdbe7f436c75864e5640a409a10485e9abb2 (glibc-2.36)
Fixed by:;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (release/2.36/master branch)
Fixed by:;h=b7529346025a130fee483d42178b5c118da971bb (release/2.37/master branch)
Fixed by:;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 (release/2.38/master branch)

Search for package or bug name: Reporting problems