Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.
AnalysisAI
Inefficient algorithmic complexity in musl libc's GB18030 4-byte decoder (iconv function in src/locale/iconv.c) affects versions up to 1.2.6 and allows local authenticated attackers to cause availability impact through resource exhaustion. The vulnerability requires local access and authenticated privileges but enables denial of service via algorithmic complexity exploitation. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The vulnerability resides in the iconv character set conversion implementation within musl libc, specifically in the GB18030 4-byte decoder component. GB18030 is a Chinese character encoding standard that supports multi-byte character sequences. The flaw represents a CWE-407 (Algorithmic Complexity) weakness, where the decoder's processing logic allows an attacker to craft specific input sequences that cause disproportionate computational resource consumption. The musl libc library (cpe:2.3:a:musl:libc:*:*:*:*:*:*:*:*) is a lightweight C standard library commonly used in embedded systems, containers, and Alpine Linux distributions. The iconv subsystem is responsible for character encoding conversion and is often invoked by applications processing untrusted text data.
RemediationAI
Patch available per vendor advisory; users should upgrade musl libc beyond version 1.2.6 to obtain the fix. Consult the OpenWall security mailing list (https://www.openwall.com/lists/oss-security/2026/04/03/2) for specific patched version details and deployment guidance. For systems unable to immediately patch, restrict local user access where feasible and monitor for unusual resource consumption patterns associated with iconv operations on untrusted GB18030-encoded text. Applications should validate and sanitize GB18030 input before iconv processing if possible.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21354
GHSA-2qh3-3rmv-x43w