CVE-2026-4046

HIGH

iconv crash due to assertion failure with untrusted input

Title source: cna

Description

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

References (3)

https://sourceware.org/bugzilla/show_bug.cgi?id=33980

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD

[Mailing List] https://inbox.sourceware.org/libc-announce/[email protected]/T/#u

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 14.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-617

Status published

Products (3)

gnu/glibc < 2.43

The GNU C Library/glibc 2.3.3

The GNU C Library/glibc 2.3.3 - 2.43

Published Mar 30, 2026

Tracked Since Mar 30, 2026