CVE-2026-25506 — HIGH (7.7)

Q: How severe is CVE-2026-25506?

CVE-2026-25506 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-25506?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Munge, Debian Debian Linux.

Vulnerability Description

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Opensuse	Munge	>= 0.5, < 0.5.18
Debian	Debian Linux	11.0

Related Weaknesses (CWE)

CWE-787

References

https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812Patch
https://github.com/dun/munge/releases/tag/munge-0.5.18ProductRelease Notes
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75ghMitigationPatchVendor Advisory
http://www.openwall.com/lists/oss-security/2026/02/10/3Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2026/02/17/6Mailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2026/02/msg00015.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2026-25506?

CVE-2026-25506 is a vulnerability with a CVSS score of 7.7 (HIGH). MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daem...

How severe is CVE-2026-25506?

CVE-2026-25506 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-25506?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Munge, Debian Debian Linux.