CVE-2026-6042

LOW

musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-6042. PoCs published by adminlove520, jensnesten.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2026-6042, demonstrating an algorithmic complexity denial-of-service vulnerability in musl libc's `iconv` GB18030 decoder. The exploit includes a standalone PoC, a vulnerable HTTP server, and a Docker setup to reproduce the issue.

Description

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.

Exploits (2)

github WORKING POC 4 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-6042

This repository contains a functional proof-of-concept exploit for CVE-2026-6042, demonstrating an algorithmic complexity denial-of-service vulnerability in musl libc's `iconv` GB18030 decoder. The exploit includes a standalone PoC, a vulnerable HTTP server, and a Docker setup to reproduce the issue.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: musl libc (iconv implementation)
No auth needed
Prerequisites: musl libc-based system (e.g., Alpine Linux) · service that uses `iconv` on untrusted input
devstral-2 · analyzed May 09, 2026 Full analysis →
nomisec WORKING POC
by jensnesten · poc
https://github.com/jensnesten/CVE-2026-6042-PoC

This repository contains a functional proof-of-concept exploit for CVE-2026-6042, demonstrating an algorithmic complexity DoS vulnerability in musl libc's `iconv` GB18030 decoder. The PoC includes a standalone timing test and a Dockerized HTTP server to simulate real-world attack scenarios.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: musl libc (iconv implementation)
No auth needed
Prerequisites: musl libc-based system (e.g., Alpine Linux) · service that calls `iconv()` on untrusted input
devstral-2 · analyzed Apr 15, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory third-party-advisory
Submit #796352 | musl libc musl 0.8.0 - 1.2.6 Inefficient Algorithmic Complexity
https://vuldb.com/submit/796352
Vdb Entry, Technical Description vdb-entry technical-description
VDB-356620 | musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity
https://vuldb.com/vuln/356620
Signature, Permissions Required signature permissions-required
VDB-356620 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/356620/cti

Scores

CVSS v3 3.3
EPSS 0.0001
EPSS Percentile 0.3%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-404 CWE-407
Status published
Products (7)
musl/libc 1.2.0
musl/libc 1.2.1
musl/libc 1.2.2
musl/libc 1.2.3
musl/libc 1.2.4
musl/libc 1.2.5
musl/libc 1.2.6
Published Apr 10, 2026
Tracked Since Apr 10, 2026