Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN149
_____________________________________________________________________

DATE                : 11/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running munge versions prior to 0.5.18.

=====================================================================
https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
_____________________________________________________________________


Buffer overflow in message unpacking allows key leakage and credential 
forgery

High
dun published GHSA-r9cr-jf4v-75gh Feb 10, 2026

Package
munge

Affected versions
>= 0.5, <= 0.5.17

Patched versions
0.5.18


Description

Impact

A local attacker can exploit a buffer overflow vulnerability in munged 
(the MUNGE authentication daemon) to leak cryptographic key material 
from process memory. With the leaked key material, the attacker could 
forge arbitrary MUNGE credentials to impersonate any user (including 
root) to services that rely on MUNGE for authentication.

The vulnerability allows a buffer overflow by sending a crafted 
message with an oversized address length field, corrupting munged's 
internal state and enabling extraction of the MAC subkey used for 
credential verification.

A proof-of-concept (PoC) exploit has been developed by a security 
researcher that demonstrates successful extraction of the MAC subkey 
on systems with modern security mitigations enabled (ASLR, PIE, NX, 
RELRO). This attack vector could potentially be used to extract other 
sensitive material from process memory. While key leakage has been 
demonstrated, forging credentials with the leaked key material is 
theoretically straightforward but has not been implemented in the PoC.

Users running munged are affected. In HPC environments where workload 
managers and other services use MUNGE for authentication, forged 
credentials could potentially enable privilege escalation. The 
severity of impact depends on how affected services use MUNGE 
credentials and what privileges they grant.

There is no indication this vulnerability is being exploited in the 
wild. The vulnerability was discovered during a security audit and 
responsibly disclosed.
Mitigation

The vulnerability is fixed in MUNGE 0.5.18. Users should upgrade to 
0.5.18 or apply vendor-supported updates that include fixes for 
CVE-2026-25506.

As a precautionary measure, regenerate MUNGE keys on all systems after 
patching. Note that key regeneration requires stopping munged 
cluster-wide, which will impact running jobs that need to 
authenticate. Sites should schedule an appropriate maintenance window 
based on their risk tolerance and operational requirements. If the 
vulnerability was exploited before patching, an attacker may have 
obtained MUNGE key material and could potentially forge credentials 
even after you patch.

To regenerate keys:

    Stop munged on all nodes
    Generate a new key on one node:
    sudo -u munge /usr/sbin/mungekey --force --verbose
    Distribute the new key to all nodes
    Restart munged on all nodes

References

    Commit: bf40cc2

Credit

    Reported by Titouan Lazard (LEXFO)


Severity
High
7.7/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

CVE ID
CVE-2026-25506

Weaknesses
Weakness CWE-787 

 
=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================