CVE-2026-4046
HIGHiconv crash due to assertion failure with untrusted input
Title source: cnaDescription
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
References (3)
Core 3
Core References
issue-tracking
https://sourceware.org/bugzilla/show_bug.cgi?id=33980
vendor-advisory
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD
Mailing List mailing-list
https://inbox.sourceware.org/libc-announce/[email protected]/T/#u
Scores
CVSS v3
7.5
EPSS
0.0036
EPSS Percentile
27.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-617
Status
published
Products (3)
gnu/glibc
< 2.43
The GNU C Library/glibc
2.3.3
The GNU C Library/glibc
2.3.3 - 2.43
Published
Mar 30, 2026
Tracked Since
Mar 30, 2026