Re: CVE-2026-25506: MUNGE 0.5-0.5.17 buffer overflow allowing key leakage

[Sam James <sam () gentoo org>]

Chris Dunlap <chris.m.dunlap () gmail com> writes:

> A buffer overflow vulnerability in MUNGE allows a local attacker to
> leak cryptographic key material from the munged daemon process
> memory. With the leaked key material, the attacker could forge
> arbitrary MUNGE credentials to impersonate any user to services that
> rely on MUNGE for authentication.

Thanks for posting this to oss-security.

> [...]
>
> There is no indication this vulnerability is being exploited in the
> wild. The vulnerability was discovered during a security audit and
> responsibly disclosed.
>
> [...]

I see there's a writeup published now as well:
https://blog.lexfo.fr/munge-heap-buffer-overflow.html

> Reported by Titouan Lazard (LEXFO).

sam

Attachment: signature.asc
Description: