Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-25506
PUBLISHED
More InfoOfficial Page
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
View Known Exploited Vulnerability (KEV) details
Published At-10 Feb, 2026 | 18:55
Updated At-17 Feb, 2026 | 18:17
Rejected At-
▼CVE Numbering Authority (CNA)
MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

Affected Products
Vendor
dun
Product
munge
Versions
Affected
  • >= 0.5, < 0.5.18
Problem Types
TypeCWE IDDescription
CWECWE-787CWE-787: Out-of-bounds Write
Type: CWE
CWE ID: CWE-787
Description: CWE-787: Out-of-bounds Write
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
x_refsource_CONFIRM
https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812
x_refsource_MISC
https://github.com/dun/munge/releases/tag/munge-0.5.18
x_refsource_MISC
Hyperlink: https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812
Resource:
x_refsource_MISC
Hyperlink: https://github.com/dun/munge/releases/tag/munge-0.5.18
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/02/10/3
N/A
https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html
N/A
http://www.openwall.com/lists/oss-security/2026/02/17/6
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/02/10/3
Resource: N/A
Hyperlink: https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/02/17/6
Resource: N/A
Details not found