You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
This CVE record has been updated after NVD enrichment efforts were completed. Enrichment data supplied by the NVD may require amendment due to these changes.
Description
Calling NSS-backed functions that support caching via nscd may call the
nscd client side code and in the GNU C Library version 2.36 under high
load on x86_64 systems, the client may call memcmp on inputs that are
concurrently modified by other processes or threads and crash.
The nscd client in the GNU C Library uses the memcmp function with
inputs that may be concurrently modified by another thread, potentially
resulting in spurious cache misses, which in itself is not a security
issue. However in the GNU C Library version 2.36 an optimized
implementation of memcmp was introduced for x86_64 which could crash
when invoked with such undefined behaviour, turning this into a
potential crash of the nscd client and the application that uses it.
This implementation was backported to the 2.35 branch, making the nscd
client in that branch vulnerable as well. Subsequently, the fix for
this issue was backported to all vulnerable branches in the GNU C
Library repository.
It is advised that distributions that may have cherry-picked the memcpy
SSE2 optimization in their copy of the GNU C Library, also apply the fix
to avoid the potential crash in the nscd client.
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
[{"vendor":"The GNU C Library","product":"glibc","defaultStatus":"unaffected","platforms":["x86"],"versions":[{"version":"2.35","lessThan":"2.37","versionType":"custom","status":"affected"}]}]
Initial Analysis by NIST4/09/2026 4:31:38 PM
Action
Type
Old Value
New Value
Added
CPE Configuration
OR
*cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* versions from (including) 2.35 up to (excluding) 2.37
Added
Reference Type
CVE: http://www.openwall.com/lists/oss-security/2026/03/11/5 Types: Mailing List, Third Party Advisory
Added
Reference Type
GNU C Library: https://sourceware.org/bugzilla/show_bug.cgi?id=29863 Types: Exploit, Issue Tracking, Patch
Added
Reference Type
GNU C Library: https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0004;hb=HEAD Types: Third Party Advisory
Added
Reference Type
GNU C Library: https://sourceware.org/git/?p=glibc.git;a=commit;h=8804157ad9da39631703b92315460808eac86b0c Types: Patch
Added
Reference Type
GNU C Library: https://sourceware.org/git/?p=glibc.git;a=commit;h=b712be52645282c706a5faa038242504feb06db5 Types: Patch
New CVE Received from GNU C Library3/11/2026 10:16:30 AM
Action
Type
Old Value
New Value
Added
Description
Calling NSS-backed functions that support caching via nscd may call the
nscd client side code and in the GNU C Library version 2.36 under high
load on x86_64 systems, the client may call memcmp on inputs that are
concurrently modified by other processes or threads and crash.
The nscd client in the GNU C Library uses the memcmp function with
inputs that may be concurrently modified by another thread, potentially
resulting in spurious cache misses, which in itself is not a security
issue. However in the GNU C Library version 2.36 an optimized
implementation of memcmp was introduced for x86_64 which could crash
when invoked with such undefined behaviour, turning this into a
potential crash of the nscd client and the application that uses it.
This implementation was backported to the 2.35 branch, making the nscd
client in that branch vulnerable as well. Subsequently, the fix for
this issue was backported to all vulnerable branches in the GNU C
Library repository.
It is advised that distributions that may have cherry-picked the memcpy
SSE2 optimization in their copy of the GNU C Library, also apply the fix
to avoid the potential crash in the nscd client.