From patchwork Fri Jan 16 14:25:07 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 128240 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from vm01.sourceware.org (localhost [127.0.0.1]) by sourceware.org (Postfix) with ESMTP id CD9DD4BA2E2B for ; Fri, 16 Jan 2026 14:25:53 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org CD9DD4BA2E2B Authentication-Results: sourceware.org; dkim=pass (2048-bit key, unprotected) header.d=gotplt.org header.i=@gotplt.org header.a=rsa-sha256 header.s=dreamhost header.b=q5EwLZbS X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from heron.birch.relay.mailchannels.net (heron.birch.relay.mailchannels.net [23.83.209.82]) by sourceware.org (Postfix) with ESMTPS id A25DE4BA2E06 for ; Fri, 16 Jan 2026 14:25:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A25DE4BA2E06 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gotplt.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A25DE4BA2E06 Authentication-Results: server2.sourceware.org; arc=pass smtp.remote-ip=23.83.209.82 ARC-Seal: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768573521; cv=pass; b=EanVXckbp8Hd4Drt78GRN12tnNkPSvvFT1GZr7gHgAzOb8Ep4S2sMwugO1cZYXm2I2kHQAHMl37yCdU0uj0H+44qlTI2YWGOkO/5ZP9bjcunoY+Aqzf1FdeUTlsFiPtfDUfipeMfsA7iKJJLVX/XKhDB0Kl7cFu50xnVlSDvKeo= ARC-Message-Signature: i=2; a=rsa-sha256; d=sourceware.org; s=key; t=1768573521; c=relaxed/simple; bh=Zb/2+WVc+5LnejX0GSCTvnbrXRBOfNaSEFLUM5wQ4hg=; h=DKIM-Signature:From:To:Subject:Date:Message-ID:MIME-Version; b=R/2gUfjo0JZDtTX8Pqwa+Mx+sGl/k7PiAd+kQiuv1bjWHW37H4Im/CpI4oUv17r2gvuDryzfl1onBmY3/NvvGAtRvdGwf0v7nCeFL/305M767Ts94B9EDWfGlQWAqODkQhsKUN2u+OfkJ5M+Cqzz3/eJUgCWvJrzvj5l7/uV6KQ= ARC-Authentication-Results: i=2; server2.sourceware.org DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A25DE4BA2E06 X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id ABBB8442D65; Fri, 16 Jan 2026 14:25:19 +0000 (UTC) Received: from pdx1-sub0-mail-a255.dreamhost.com (100-117-123-3.trex-nlb.outbound.svc.cluster.local [100.117.123.3]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 48951442659; Fri, 16 Jan 2026 14:25:19 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; d=mailchannels.net; s=arc-2022; cv=none; t=1768573519; b=NBS6l1vO80CUSMktLocut80U8KxGxmqiqAXjsmxat/S+6/SMuTaecEo+Sc279HXIsqGwwr zbjD59lLhKMkZN2/v7rHXnN9jlEYAdvlEHIBWUbfiec0w5OJJ26RoN88deVm8BWDfh+lUw I6M9H9gljHWpJC8KFRnYjSeU08dAiKCiswNO2K4QiEfJ9TgIs75OAErunknlNzu6XR98pk WXnLek03ff4Z/UYJQZHGEP5ZSmf8Zm8bdUbiCl0L6ZKkpLpG1hzNoWq9QA1AFLH8+GwRdH EfrA4e4V1EyIJHcUrU5SWksXjm0gQhsuYdAAk3XVUc2i+HTajitSaeJtTehGrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1768573519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=UEAVNez7eLosoGFXuhMrPw4Cn1ncIy+7W4njssH3zKg=; b=wYMEr3ZukWKHay3fmlmJDci7Sq07C7dsfXrP6t3TNhatOYCZJ+TZxiO0CSnvHXtXN5x1YT rl3QO02SH5f8VRPY6v+J41tQP3YTzBrHOaqkNwz+b9WO1dwdZA450oWFxbHf5Q770hElu7 XPE7ZxzDHsXgPe/S/TzPY3r3EwkbZZufKvwc3bqiuO7uV9A2edajrYmWqpxdkpnPlFNOWp SRBk0gThbIxFpdpcuOnFNrKS9jF9vaPRsGZ0SyI4OhnAcMxxYSbz4lRmQqvC4MBDyFZ+Xn mUTAkj9JVELik1Xl2er7D7iB4g6iq2hBalYnit9Fxd9E/L9v0IqGAilCS+1b4A== ARC-Authentication-Results: i=1; rspamd-84bff5b669-pgnp4; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Ski-Abiding: 2a31d5da4c6a6ce6_1768573519502_1511026172 X-MC-Loop-Signature: 1768573519502:4119766949 X-MC-Ingress-Time: 1768573519502 Received: from pdx1-sub0-mail-a255.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.117.123.3 (trex/7.1.3); Fri, 16 Jan 2026 14:25:19 +0000 Received: from fedora (unknown [24.137.192.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a255.dreamhost.com (Postfix) with ESMTPSA id 4dt2FB5d74zyqc; Fri, 16 Jan 2026 06:25:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gotplt.org; s=dreamhost; t=1768573519; bh=UEAVNez7eLosoGFXuhMrPw4Cn1ncIy+7W4njssH3zKg=; h=From:To:Cc:Subject:Date:Content-Transfer-Encoding; b=q5EwLZbSYK13FnxmpSZTKP0gZ7hCYXJBHEIke0VAEuhyMFKj3QKxc2oSl9h+mkx13 +kEqJEMkRBRJNGVUz3b1QC7IwJxatF5N6Ar9RFbSG3WWUBYwaNfG331TwojT0gCApH x5KDmOGzHo/bTK4rJga6eR+xlwIQ0jhfVXvF6RYvWTQ4Jm0gyrPogVs7X2Cu1huGg6 TqosPP8v3amO0gKSSMBfQf/7fRdEBcnt5QxGm+mDiWey3TWxJMKHLIyEj28gA7Pyf1 ZU32BTWE+GD8pwgG22iWXhvkmeKwlQ8iLokmrt1c65EPfvqaFAy2hYUO4lnnAGnF+W IAKvyUQPLPJuw== From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: carlos@redhat.com, adhemerval.zanella@linaro.org Subject: [PATCH v3] Add advisory text for CVE-2026-0861 Date: Fri, 16 Jan 2026 09:25:07 -0500 Message-ID: <20260116142507.994662-1-siddhesh@gotplt.org> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260115220719.2656352-1-siddhesh@gotplt.org> References: <20260115220719.2656352-1-siddhesh@gotplt.org> MIME-Version: 1.0 X-Spam-Status: No, score=-3035.9 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_LOTSOFHASH, RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces~patchwork=sourceware.org@sourceware.org Explain the security issue and set context for the vulnerability to help downstreams get a better understanding of the issue. Signed-off-by: Siddhesh Poyarekar Reviewed-by: Carlos O'Donell --- Changes from v2: - Added more context on inputs - Added commit refs of backports advisories/GLIBC-SA-2026-0001 | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 advisories/GLIBC-SA-2026-0001 diff --git a/advisories/GLIBC-SA-2026-0001 b/advisories/GLIBC-SA-2026-0001 new file mode 100644 index 0000000000..3e0ee3b3f4 --- /dev/null +++ b/advisories/GLIBC-SA-2026-0001 @@ -0,0 +1,41 @@ +Integer overflow in memalign leads to heap corruption + +Passing too large an alignment to the memalign suite of functions +(memalign, posix_memalign, aligned_alloc) in the GNU C Library version +2.30 to 2.42 may result in an integer overflow, which could consequently +result in a heap corruption. + +Note that the attacker must have control over both, the size as well as +the alignment arguments of the memalign function to be able to exploit +this. The size parameter must be close enough to PTRDIFF_MAX so as to +overflow size_t along with the large alignment argument. This limits +the malicious inputs for the alignment for memalign to the range [1<<62 ++ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc. + +Typically the alignment argument passed to such functions is a known +constrained quantity (e.g. page size, block size, struct sizes) and is +not attacker controlled, because of which this may not be easily +exploitable in practice. An application bug could potentially result in +the input alignment being too large, e.g. due to a different buffer +overflow or integer overflow in the application or its dependent +libraries, but that is again an uncommon usage pattern given typical +sources of alignments. + +CVE-Id: CVE-2026-0861 +Public-Date: 2026-01-14 +Vulnerable-Commit: 9bf8e29ca136094f73f69f725f15c51facc97206 (2.30) +Fix-Commit: c9188d333717d3ceb7e3020011651f424f749f93 (2.43) +Fix-Commit: 7f19ef14fbce095d4c77395e258320cad2ea2b28 (2.30-153) +Fix-Commit: f18446d7b4a423090ee5e328c36b3c2a0f26041c (2.31-166) +Fix-Commit: 8aef9e7a7af9565c0324b4ecb38b30dfa3782fd8 (2.32-151) +Fix-Commit: 011293b4fd748cdd6f95874ba2b6aba9a3df8bff (2.33-275) +Fix-Commit: 2c77e52108a58956c9f674b36e1f59a4e3fdcf4d (2.34-525) +Fix-Commit: 499d1ccafccfe64df1b88deea2fa84d8180e8e8f (2.35-399) +Fix-Commit: fb6b8822175769b5794fb6ea04f2895483a29b61 (2.36-244) +Fix-Commit: 7b913d41a07836def826f2164c52541a9835f324 (2.37-172) +Fix-Commit: 744b63026a29f7eedbbc8e3a01a7f48a6eb0a085 (2.38-212) +Fix-Commit: fb22fd3f5b415dd4cd6f7b5741c2f0412374e242 (2.39-286) +Fix-Commit: bfc4dd9e526eacf3017dd8864ba0848e9d045dd4 (2.40-216) +Fix-Commit: 1e2c1ea4307197ccece0cda574bcfebf9080894c (2.41-121) +Fix-Commit: b0ec8fb689df862171f0f78994a3bdeb51313545 (2.42-49) +Reported-by: Igor Morgenstern, Aisle Research