HOMEVULNERABILITIESCVE-2026-3904
MEDIUM

CVE-2026-3904

CWE-366Published: March 11, 2026· Updated: Mar 12, 2026

6.2
CVSS v3.1
EPSS:0.01%probability of exploitation in 30 daysPercentile:1.3th

Official Description

Calling NSS-backed functions that support caching via nscd may call the

nscd client side code and in the GNU C Library version 2.36 under high

load on x86_64 systems, the client may call memcmp on inputs that are

concurrently modified by other processes or threads and crash.

The nscd client in the GNU C Library uses the memcmp function with

inputs that may be concurrently modified by another thread, potentially

resulting in spurious cache misses, which in itself is not a security

issue.  However in the GNU C Library version 2.36 an optimized

implementation of memcmp was introduced for x86_64 which could crash

when invoked with such undefined behaviour, turning this into a

potential crash of the nscd client and the application that uses it.

This implementation was backported to the 2.35 branch, making the nscd

client in that branch vulnerable as well.  Subsequently, the fix for

this issue was backported to all vulnerable branches in the GNU C

Library repository.

It is advised that distributions that may have cherry-picked the memcpy

SSE2 optimization in their copy of the GNU C Library, also apply the fix

to avoid the potential crash in the nscd client.

NVD Source

Technical Analysis

CVE-2026-3904 requires local access, meaning attackers must already have a foothold on the target system.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 6.2.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityNone
AvailabilityHigh
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

All References (5)

Quick Facts

CVE IDCVE-2026-3904
CVSS Score6.2 / 10
SeverityMEDIUM
WeaknessCWE-366
CISA KEVNo
EPSS (30d)0.01%
PublishedMar 11, 2026

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-3904 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.