Skip to main content

Libc CVE-2026-6042

| EUVDEUVD-2026-21354 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-04-10 VulDB GHSA-2qh3-3rmv-x43w
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
5.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 09:15 euvd
EUVD-2026-21354
Analysis Generated
Apr 10, 2026 - 09:15 vuln.today
Patch released
Apr 10, 2026 - 09:15 nvd
Patch available
CVE Published
Apr 10, 2026 - 09:00 nvd
MEDIUM 4.8

DescriptionCVE.org

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.

AnalysisAI

Inefficient algorithmic complexity in musl libc's GB18030 4-byte decoder (iconv function in src/locale/iconv.c) affects versions up to 1.2.6 and allows local authenticated attackers to cause availability impact through resource exhaustion. The vulnerability requires local access and authenticated privileges but enables denial of service via algorithmic complexity exploitation. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability resides in the iconv character set conversion implementation within musl libc, specifically in the GB18030 4-byte decoder component. GB18030 is a Chinese character encoding standard that supports multi-byte character sequences. The flaw represents a CWE-407 (Algorithmic Complexity) weakness, where the decoder's processing logic allows an attacker to craft specific input sequences that cause disproportionate computational resource consumption. The musl libc library (cpe:2.3:a:musl:libc:*:*:*:*:*:*:*:*) is a lightweight C standard library commonly used in embedded systems, containers, and Alpine Linux distributions. The iconv subsystem is responsible for character encoding conversion and is often invoked by applications processing untrusted text data.

RemediationAI

Patch available per vendor advisory; users should upgrade musl libc beyond version 1.2.6 to obtain the fix. Consult the OpenWall security mailing list (https://www.openwall.com/lists/oss-security/2026/04/03/2) for specific patched version details and deployment guidance. For systems unable to immediately patch, restrict local user access where feasible and monitor for unusual resource consumption patterns associated with iconv operations on untrusted GB18030-encoded text. Applications should validate and sanitize GB18030 input before iconv processing if possible.

Vendor StatusVendor

Share

CVE-2026-6042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy