Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Local heap buffer overflow in MUNGE munged leading to key material disclosure and credential forgery

IdentifiersCVE-2026-25506CWE-122

CVE-2026-25506 is a local heap-based buffer overflow in MUNGE’s authentication daemon (munged) affecting MUNGE versions 0.5 through 0.5.17. The flaw is in message unpacking logic (reported in _msg_unpack for MUNGE_MSG_DEC_RSP) where an attacker-controlled 8-bit address length field (addr_len) is used to copy data into a fixed-size IPv4 address field (struct in_addr, 4 bytes) without enforcing bounds. Setting addr_len to an oversized value (e.g., 0xff) overflows into adjacent members of the struct m_msg, corrupting internal state and heap pointers (e.g., leading to invalid frees in m_msg_destroy) and enabling exploitable heap corruption. Exploitation can be used to obtain an arbitrary read primitive and ultimately leak MUNGE cryptographic key material (MAC/HMAC subkey) from munged process memory, which then enables forging arbitrary MUNGE credentials to impersonate other users to MUNGE-reliant services. The issue is fixed in MUNGE 0.5.18.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A local attacker can leverage the overflow to leak MUNGE secret key material from the munged process, specifically the MAC/HMAC subkey used to verify credentials. With this key material, the attacker can forge valid MUNGE credentials and impersonate arbitrary users (including root) to services that rely on MUNGE for authentication (commonly in Slurm/HPC environments where the same MUNGE key is shared cluster-wide). This can translate into cluster-wide authentication bypass/impersonation and practical privilege escalation within environments that trust MUNGE tokens for authorization decisions.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce exposure by limiting which local principals can communicate with the munged UNIX-domain socket (tighten filesystem permissions/ownership and service access controls) and restrict untrusted local code execution on nodes that can reach munged. Plan for expedited patching and subsequent MUNGE key rotation; key rotation is important because the primary risk is compromise of long-lived shared secret material.

Remediation

Patch, then assume compromise.

Upgrade MUNGE to version 0.5.18 (or a vendor-supported build that includes the fix). Per advisory guidance, after patching, regenerate/rotate the MUNGE keys (cluster-wide) during a maintenance window to invalidate any potentially compromised key material and previously forgeable credentials.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
DebianDebian Linuxoperating_system
OpensuseMungeapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
the hacker newsNews
Feb 16, 2026
Weekly Recap: Outlook Add-Ins Hijack, 0-Day Patches, Wormable Botnet & AI Malware

A local vulnerability in Munge allowing leakage of the Munge secret key from memory, enabling forged credentials/tokens and impersonation (including root) in HPC cluster environments.

Read more
lexfo blogNews
Nov 12, 2025
Lexfo's security blog - Pwning Supercomputers - A 20yo vulnerability in Munge

A long-standing heap/struct overflow in Munge’s message unpacking logic where an attacker-controlled addr_len (uint8_t) is used to copy into a fixed-size struct in_addr (4 bytes). This can corrupt adjacent fields in struct m_msg, leading to invalid frees/crashes and, with exploitation, memory disclosure sufficient to recover Munge secrets (e.g., HMAC/encryption keys) and forge cluster-wide authentication tokens.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-25506
NVD
nvd.nist.gov/vuln/detail/CVE-2026-25506
MITRE CWE · CWE-122
cwe.mitre.org
Patch
openwall.com/lists/oss-security/2026/02/10/3
Patch
github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812
Patch
github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh
Third Party Advisory
openwall.com/lists/oss-security/2026/02/17/6
Third Party Advisory
lists.debian.org/debian-lts-announce/2026/02/msg00015.html
Release Notes
github.com/dun/munge/releases/tag/munge-0.5.18