How is CVE-2026-43958 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network path to the target is required, only local access to the rrdcached socket. Authentication (required): Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to reach the rrdcached socket. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends the malicious CREATE request directly to the daemon. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory-layout guessing, or other environmental factors are required to trigger the overflow.

What is the impact of CVE-2026-43958?

Crashes the rrdcached daemon, interrupting time-series data collection and any dependent monitoring or graphing services. Enables execution of arbitrary code in the context of the rrdcached process, giving the attacker a foothold on the host. Reads confidential data accessible to the rrdcached process, including stored metrics and any credentials or tokens present in its memory or working directory. Modifies or destroys persisted RRD database files, corrupting historical metrics data.

Back to search

HIGHCVE-2026-43958Published 2026-06-01Modified 2026-06-02CNA redhat

CVE-2026-43958: Rrdtool: rrdtool: stack buffer overflow allows local code execution or denial of service

A flaw was found in rrdcached, a component of rrdtool. A local attacker with access to a rrdcached socket can exploit a stack-based buffer overflow by sending an oversized CREATE request. This vulnerability can lead to a denial of service by crashing the daemon or potentially allow for arbitrary code execution, impacting the integrity and confidentiality of data.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 5

HarborGuard Analysis

Synopsis

A stack-based buffer overflow exists in rrdcached, a daemon component of rrdtool. An attacker with local access and the ability to reach the rrdcached socket can trigger the overflow by sending an oversized CREATE request, requiring only a low-privilege account. Successful exploitation crashes the daemon (denial of service) or enables arbitrary code execution, giving the attacker full control over data integrity and confidentiality on the affected host. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Red Hat security advisories) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle rrdtool or rrdcached.

Available

Triage

HarborGuard scores this finding at CVSS 7.8 HIGH using the v3.1 vector and is capable of weighting that score against each environment's compliance policy to reflect organizational risk tolerance; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat or the upstream rrdtool project ships a resolution. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network path to the target is required, only local access to the rrdcached socket.
AuthenticationRequired
Any low-privilege local account is sufficient; the attacker does not need administrative or root credentials to reach the rrdcached socket.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends the malicious CREATE request directly to the daemon.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout guessing, or other environmental factors are required to trigger the overflow.

Blast Radius

Crashes the rrdcached daemon, interrupting time-series data collection and any dependent monitoring or graphing services.
Enables execution of arbitrary code in the context of the rrdcached process, giving the attacker a foothold on the host.
Reads confidential data accessible to the rrdcached process, including stored metrics and any credentials or tokens present in its memory or working directory.
Modifies or destroys persisted RRD database files, corrupting historical metrics data.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-43958 at this time, the platform monitors the Red Hat and upstream rrdtool advisory feeds on every ingest cycle. The moment a fix version is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, this triggers a full rebuild, regression-test run, and a PR opened against affected workloads automatically. In the interim, compensating controls worth evaluating include restricting filesystem permissions on the rrdcached socket to limit which local users and processes can connect, applying network-policy isolation to prevent lateral movement from any process already able to reach the socket, and where operationally feasible, running rrdcached in a dedicated container or namespace with a minimal privilege profile to contain the impact of exploitation.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Metrics

Get notified