Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

Important Crash Information Leak Vulnerabilities in Fedora 42 glibc 2026

fedora
Calendar Grey January 27, 2026
Dist Fedora Esm H88
Update for Fedora 42 glibc addresses critical issues including information leakage and crashes related to specific functions.
This update switches the currency symbol for Bulgaria to the Euro

Summary

The glibc package contains standard libraries which are used by

multiple programs on the system. In order to save disk space and

memory, as well as to make upgrading easier, common system code is

kept in one place and shared between programs. This particular package

contains the most important sets of shared libraries: the standard C

library and the standard math library. Without these two libraries, a

Linux system will not function.

Update Information:

This update switches the currency symbol for Bulgaria to the Euro. Furthermore, it addresses several security vulnerabilities: A crash when wordexp is used with WRDE_REUSE (CVE-2025-15281) Information leakage from the stack if getnetbyaddr is called for the zero address (CVE-2026-0915) An integer overflow in memalign and related functions if they are called with out-of-bounds size/alignment combinations (CVE-2026-0861) LD_PROFILE is now ignored with a warning if LD_PROFILE_OUTPUT is not specified, rather than using the insecure /var/tmp default. The changes updates from the upstream stable release branch are applied: nptl: Optimize trylock for high cache contention workloads (BZ #33704) (Sunil K Pandey) sprof: fix -Wformat warnings on 32-bit hosts (Collin Funk) sprof: check pread size and offset for overflow (DJ Delorie)

Change Log

* Fri Jan 23 2026 Florian Weimer - 2.41-16 - Ignore LD_PROFILE if LD_PROFILE_OUTPUT is not set (#2432405) * Fri Jan 23 2026 Florian Weimer - 2.41-15 - Auto-sync with upstream branch release/2.41/master, commit fb4db64a04ad6c96cd1fbb7e02eb59323b1f2ac2: - posix: Reset wordexp_t fields with WRDE_REUSE (CVE-2025-15281) - resolv: Fix NSS DNS backend for getnetbyaddr (CVE-2026-0915) - memalign: reinstate alignment overflow check (CVE-2026-0861) * Tue Jan 13 2026 Florian Weimer - 2.41-14 - Switch currency symbol for the bg_BG locale to euro (#2429016) * Mon Jan 12 2026 Frdric Brat - 2.41-13 - Auto-sync with upstream branch master, commit c96b4ed1e26f06ebc56c17ba2c29d1647be68c1e: - nptl: Optimize trylock for high cache contention workloads (BZ #33704) (Sunil K Pandey) - support: Exit on consistency check failure in resolv_response_add_name (Florian Weimer) - support: Fix FILE * leak in check_for_unshare_hints in test-container (Florian Weimer) - sprof: fix -Wformat warnings on 32-bit hosts (Collin Funk) - sprof: check pread size and offset for overflow (DJ Delorie)

References


[ 1 ] Bug #2429016 - glibc: Bulgaria joined the eurozone https://bugzilla.redhat.com/show_bug.cgi?id=2429016 [ 2 ] Bug #2430076 - CVE-2026-0861 glibc: Integer overflow in memalign leads to heap corruption [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2430076 [ 3 ] Bug #2430319 - CVE-2026-0915 glibc: glibc: Information disclosure via zero-valued network query [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2430319 [ 4 ] Bug #2431279 - CVE-2025-15281 glibc: wordexp with WRDE_REUSE and WRDE_APPEND may return uninitialized memory [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2431279

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-a2f3af8a86' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: glibc
Product: Fedora 42
Version: 2.41
Release: 16.fc42
Summary: The GNU libc libraries

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here