Grype DB does not represent affected glibc versions as a range for CVE-2026-5450

[nick-langford]

The CVE-2026-5450 states that glibc version 2.7 to 2.43 incl is impacted by this vulnerability. The grype DB shows thois as only being affected by v2.7. Given I am currently using v2.39 of glibc the CVE-2026-5450 is not being included in my VEX file, when it should be.

Please provide a set of steps on how to reproduce the issue
update the local grype db: grype update db
read the conditions to identifying the CVE as a current vulnerability:
grype db search --vuln CVE-2026-5450 | grep cpe

What happened:
The version range information returned a specific verstion rather than a range:
CVE-2026-5450 cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* nvd:cpe = 2.7

What you expected to happen:
I would expect the following to be returned:
CVE-2026-5450 cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:* nvd:cpe >= 2.7, <= 2.43

Anything else we need to know?:
my db is located:
~/.cache/grype/db/6/vulnerability.db
Environment:

• Output of grype-db version:
  grype --version
grype 0.112.0

• grype db status

Schema:    v6.1.7
Built:     2026-06-08T08:07:19Z
From:      https://grype.anchore.io/databases/v6/vulnerability-db_v6.1.7_2026-06-08T00:56:26Z_1780906039.tar.zst?checksum=sha256%3A940be8c73635e252cebb5a94c731ff2747ec492b1f65f301956e6fb538e52c4d
Status:    valid

• OS (e.g: cat /etc/os-release or similar):
  cat /etc/os-release

NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.1 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo