Description

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

INFO

Published Date :

2026-02-10T18:55:57.708Z

Last Modified :

2026-02-10T20:14:03.821Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25506 vulnerability.

Vendors Products
Dun
  • Munge
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25506.

URL Resource
http://www.openwall.com/lists/oss-security/2026/02/10/3 cve-icon
https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812 cve-icon cve-icon cve-icon
https://github.com/dun/munge/releases/tag/munge-0.5.18 cve-icon cve-icon cve-icon
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh cve-icon cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-25506 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-25506 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact