OSG-SEC-2026-02-10 High risk MUNGE buffer overflow vulnerability (CVE-2026-25506)

Dear OSG Security Contacts,

MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, a local attacker could exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory.

IMPACTED VERSIONS:

= 0.5, <= 0.5.17

WHAT ARE THE VULNERABILITIES:

An attacker who obtains this leaked key material could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. The issue applies only to sites running Slurm with MUNGE.

MITIGATION

As a precautionary measure, regenerate MUNGE keys on all systems after patching. Note that key regeneration requires stopping munged cluster-wide, which will impact running jobs that need to authenticate. Sites should schedule an appropriate maintenance window based on their risk tolerance and operational requirements.

WHAT YOU SHOULD DO:

Site admins should upgrade to 0.5.18 or apply vendor-supported updates that include fixes for CVE-2026-25506.

REFERENCES

[1] https://nvd.nist.gov/vuln/detail/CVE-2026-25506
[2] https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team