Description
An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).
Published: 2026-04-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stack‑based memory corruption leading to arbitrary code execution and denial of service
Action: Apply Patch
AI Analysis

Impact

An implementation flaw in the qsort routine of musl libc causes a stack‑based memory corruption when sorting arrays that contain a very large number of elements (exceeding roughly seven million on 32‑bit systems). The bug stems from incorrectly implemented double‑word primitives, which can overwrite control data on the stack. When triggered, this overflow can allow an attacker to execute arbitrary code or crash the process. The vulnerability is related to integer overflows (CWE‑190) and uncontrolled modification of execution flow (CWE‑670).

Affected Systems

musl libc versions 0.7.10 through 1.2.6 are affected. Systems that ship with these versions, including many Linux distributions and embedded devices that rely on musl as the standard C library, are at risk. No other vendors or products are listed. Users should verify the musl version in use and compare it to the affected range.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity issue, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog, further indicating low exploitation activity. Exploitation requires an attacker to construct a data set large enough to trigger the overflow (a 64‑bit environment would need an array size equal to the 64th Leonardo number, which is not practical). Therefore, the realistic attack probability for typical systems is low unless a publicly exposed service or script processes extremely large input arrays.

Generated by OpenCVE AI on April 14, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade musl libc to a version newer than 1.2.6, ideally the latest release from musl.libc.org.
  • If an upgrade cannot be performed immediately, modify applications that use qsort to avoid sorting arrays larger than about seven million elements or replace qsort with a safer sorting routine that bounds the input size.
  • Verify that no accessible services, scripts, or APIs process exceptionally large inputs that could trigger the bug; if they do, enforce input size limits at the application level.
  • Monitor vendor advisories and security mailing lists for the latest patches and apply them promptly.

Generated by OpenCVE AI on April 14, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 10 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical).
First Time appeared Musl-libc
Musl-libc musl
Weaknesses CWE-670
CPEs cpe:2.3:a:musl-libc:musl:*:*:*:*:*:*:*:*
Vendors & Products Musl-libc
Musl-libc musl
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Musl-libc Musl
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-14T14:32:24.901Z

Reserved: 2026-04-10T00:00:00.000Z

Link: CVE-2026-40200

cve-icon Vulnrichment

Updated: 2026-04-10T17:17:25.925Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T17:17:14.107

Modified: 2026-04-27T19:18:46.690

Link: CVE-2026-40200

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-10T00:00:00Z

Links: CVE-2026-40200 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:38Z

Weaknesses