The uClibc and uClibc-ng libraries generate DNS requests with incremental
transaction IDs, while, at the same time, not enforcing any explicit port
randomization techniques during the network connection.
This may result in the possibility for an attacker to perform DNS Cache
Poisoning attacks. More information in the "Exploitability" section here
The vulnerability was confirmed statically and dynamically on version
0.9.33.2. By downloading all releases available on uClibc website, the
vulnerability was confirmed statically in all versions (up to and including
Additionally, by downloading all releases of the uClibc-ng available, the
vulnerability was confirmed statically for this library in all versions (up to
and including 1.0.38, latest available at the time of the research).