Out-of-bounds write in MUNGE - CVE-2026-25506
Published: February 13, 2026
Vulnerability identifier: #VU122809
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-25506
CWE-ID: CWE-787
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Dun
Affected software:
MUNGE
MUNGE
Detailed vulnerability description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to a boundary error. A local user can trigger an out-of-bounds write in the authentication daemon and force it to leak cryptographic key material from the process memory. The extracted information can be used to forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication.
How to mitigate CVE-2026-25506
Install updates from vendor's website.