CVE-2026-6042 - Vulnerability Details

- musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity

Description

A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.

Published: 2026-04-10

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the GB18030 four‑byte decoder of musl libc allows local attackers to craft data that causes the iconv routine to exhibit excessive algorithmic complexity. The result is a practical denial‑of‑service condition, as processing the data consumes disproportionate CPU time. The weakness is aligned with CWE‑1050 (Infinite Recursion), CWE‑404 (Improper Handling of File Paths), and CWE‑407 (Inefficient Algorithm).

Affected Systems

The vulnerability exists in musl libc versions up to 1.2.6 and impacts the "iconv" function in the GB18030 decoder component. It affects systems that compile or link against this version of musl, which includes many Linux distributions and embedded platforms relying on musl as the standard C library.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity, but the EPSS score below 1% and the lack of listing in the CISA KEV catalog suggest that exploitation is unlikely at present. Nevertheless, the problem requires local execution privileges, so any untrusted local user or compromised local process could trigger resource exhaustion. The risk is therefore primarily to availability rather than confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

musl

libc

affected

Version	Status	Constraints
`1.2.0`	affected	—
`1.2.1`	affected	—
`1.2.2`	affected	—
`1.2.3`	affected	—
`1.2.4`	affected	—
`1.2.5`	affected	—
`1.2.6`	affected	—

No data.

Vendor Product Confidence Versions

Musl

Libc

100%

Version	Status	Scheme	Platform
`1.2.0`	affected	semver	—
`1.2.1`	affected	semver	—
`1.2.2`	affected	semver	—
`1.2.3`	affected	semver	—
`1.2.4`	affected	semver	—
`1.2.5`	affected	semver	—
`1.2.6`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade musl libc to the latest released version that incorporates the patch for the GB18030 decoder
If upgrading is not immediately possible, limit the execution of local processes that may invoke the iconv routine through containerization or strict user permissions
Monitor system CPU usage and set limits on processes that perform iconv operations to prevent accidental DoS

Generated by OpenCVE AI on April 14, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/09/19
https://nvd.nist.gov/vuln/detail/CVE-2026-6042
https://vuldb.com/submit/796352
https://vuldb.com/vuln/356620
https://vuldb.com/vuln/356620/cti
https://www.cve.org/CVERecord?id=CVE-2026-6042
https://www.openwall.com/lists/oss-security/2026/04/02/10
https://www.openwall.com/lists/oss-security/2026/04/03/2

History

Tue, 14 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-1050
References		https://nvd.nist.gov/vuln/detail/CVE-2026-6042 https://www.cve.org/CVERecord?id=CVE-2026-6042
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 10 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Musl Musl libc
Vendors & Products		Musl Musl libc

Fri, 10 Apr 2026 10:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/09/19

Fri, 10 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.
Title		musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity
Weaknesses		CWE-404 CWE-407
References		https://vuldb.com/submit/796352 https://vuldb.com/vuln/356620 https://vuldb.com/vuln/356620/cti https://www.openwall.com/lists/oss-security/2026/04/02/10 https://www.openwall.com/lists/oss-security/2026/04/03/2
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Musl Libc

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-10T09:00:18.733Z

Updated: 2026-04-10T15:54:06.200Z

Reserved: 2026-04-09T17:34:11.256Z

Link: CVE-2026-6042

Vulnrichment

Updated: 2026-04-10T09:31:09.913Z

NVD

Status : Deferred

Published: 2026-04-10T09:16:25.450

Modified: 2026-04-24T18:01:13.913

Link: CVE-2026-6042

Redhat

Severity : Moderate

Publid Date: 2026-04-10T09:00:18Z

Links: CVE-2026-6042 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:36:34Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object