(3.0.0-3.14.1) Privilege escalation on MUNGE caused by CVE-2026-25506

### The issue

[MUNGE](https://github.com/dun/munge)  is the service responsible for authenticating communications in Slurm clusters. All versions from 0.5 to 0.5.17 are affected by [CVE-2026-25506](https://nvd.nist.gov/vuln/detail/CVE-2026-25506). This vulnerability allows local users to trigger a buffer overflow in munged's message unpacking code, leaking the cryptographic key from process memory. With that key, attackers can forge credentials to impersonate any user (including root)—on Slurm clusters, this should be treated as a local-root exploit.

### Affected ParallelCluster versions, OSes and schedulers

All ParallelCluster versions on all OSes when using the Slurm scheduler are impacted.

### Mitigation

You can find a detailed explanation and the mitigation of the problem [here](https://github.com/aws/aws-parallelcluster/wiki/(3.0.0%E2%80%903.14.1)-Privilege-escalation-on-MUNGE-caused-by-CVE%E2%80%902026%E2%80%9025506)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(3.0.0-3.14.1) Privilege escalation on MUNGE caused by CVE-2026-25506 #7233

The issue

Affected ParallelCluster versions, OSes and schedulers

Mitigation

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

(3.0.0-3.14.1) Privilege escalation on MUNGE caused by CVE-2026-25506 #7233

Description

The issue

Affected ParallelCluster versions, OSes and schedulers

Mitigation

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions