{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6042", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-09T17:34:11.256Z", "datePublished": "2026-04-10T09:00:18.733Z", "dateUpdated": "2026-04-10T15:54:06.200Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-10T09:00:18.733Z"}, "title": "musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-407", "lang": "en", "description": "Inefficient Algorithmic Complexity"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-404", "lang": "en", "description": "Denial of Service"}]}], "affected": [{"vendor": "musl", "product": "libc", "versions": [{"version": "1.2.0", "status": "affected"}, {"version": "1.2.1", "status": "affected"}, {"version": "1.2.2", "status": "affected"}, {"version": "1.2.3", "status": "affected"}, {"version": "1.2.4", "status": "affected"}, {"version": "1.2.5", "status": "affected"}, {"version": "1.2.6", "status": "affected"}], "modules": ["GB18030 4-byte Decoder"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "timeline": [{"time": "2026-04-09T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-09T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-09T19:58:49.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "0x001 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "0x001 (VulDB User)", "type": "analyst"}], "references": [{"url": "https://vuldb.com/vuln/356620", "name": "VDB-356620 | musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356620/cti", "name": "VDB-356620 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/796352", "name": "Submit #796352 | musl libc musl 0.8.0 - 1.2.6 Inefficient Algorithmic Complexity", "tags": ["third-party-advisory"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/10", "tags": ["related"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/03/2", "tags": ["patch"]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/19"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T09:31:09.913Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T15:44:05.493056Z", "id": "CVE-2026-6042", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T15:54:06.200Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/19"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T09:31:09.913Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6042", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T15:44:05.493056Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T15:44:17.351Z"}}], "cna": {"title": "musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity", "credits": [{"lang": "en", "type": "reporter", "value": "0x001 (VulDB User)"}, {"lang": "en", "type": "analyst", "value": "0x001 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:X/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:ND/RL:OF/RC:C"}}], "affected": [{"vendor": "musl", "modules": ["GB18030 4-byte Decoder"], "product": "libc", "versions": [{"status": "affected", "version": "1.2.0"}, {"status": "affected", "version": "1.2.1"}, {"status": "affected", "version": "1.2.2"}, {"status": "affected", "version": "1.2.3"}, {"status": "affected", "version": "1.2.4"}, {"status": "affected", "version": "1.2.5"}, {"status": "affected", "version": "1.2.6"}]}], "timeline": [{"lang": "en", "time": "2026-04-09T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-09T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-09T19:58:49.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/356620", "name": "VDB-356620 | musl libc GB18030 4-byte Decoder iconv.c iconv algorithmic complexity", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/356620/cti", "name": "VDB-356620 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/796352", "name": "Submit #796352 | musl libc musl 0.8.0 - 1.2.6 Inefficient Algorithmic Complexity", "tags": ["third-party-advisory"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/02/10", "tags": ["related"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/03/2", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-407", "description": "Inefficient Algorithmic Complexity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-404", "description": "Denial of Service"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-10T09:00:18.733Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6042", "state": "PUBLISHED", "dateUpdated": "2026-04-10T15:54:06.200Z", "dateReserved": "2026-04-09T17:34:11.256Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-10T09:00:18.733Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch."}], "id": "CVE-2026-6042", "lastModified": "2026-04-24T18:01:13.913", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-10T09:16:25.450", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/796352"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356620"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/356620/cti"}, {"source": "cna@vuldb.com", "url": "https://www.openwall.com/lists/oss-security/2026/04/02/10"}, {"source": "cna@vuldb.com", "url": "https://www.openwall.com/lists/oss-security/2026/04/03/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/19"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-407"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{"bugzilla": {"description": "musl libc: GB18030 4-byte Decoder: musl libc: Denial of Service via inefficient algorithmic complexity in iconv", "id": "2457266", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457266"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1050", "details": ["A flaw was found in musl libc, specifically within the `iconv` function of the GB18030 4-byte Decoder component. A local attacker can exploit this vulnerability by performing a specific manipulation, leading to inefficient algorithmic complexity. This can result in a Denial of Service (DoS) due to excessive resource consumption, impacting system availability."], "name": "CVE-2026-6042", "public_date": "2026-04-10T09:00:18Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6042\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6042\nhttp://www.openwall.com/lists/oss-security/2026/04/09/19\nhttps://vuldb.com/submit/796352\nhttps://vuldb.com/vuln/356620\nhttps://vuldb.com/vuln/356620/cti\nhttps://www.openwall.com/lists/oss-security/2026/04/02/10\nhttps://www.openwall.com/lists/oss-security/2026/04/03/2"], "statement": "A MODERATE flaw in musl libc's `iconv` function, specifically within the GB18030 4-byte Decoder, allows a local attacker to trigger a Denial of Service. This vulnerability arises from inefficient algorithmic complexity when processing specific manipulations. Red Hat Enterprise Linux does not use musl libc as its default C library, limiting direct impact to environments or applications that explicitly utilize musl libc.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.2"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.3"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.4"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.5"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.6"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "libc", "source": "cna", "vendor": "musl"}, "product": "libc", "vendor": "musl"}], "analysis": {"en": {"generated_at": "2026-04-14T13:23:14.797149+00:00", "value": {"mitigation_remediation": ["Upgrade musl libc to the latest released version that incorporates the patch for the GB18030 decoder", "If upgrading is not immediately possible, limit the execution of local processes that may invoke the iconv routine through containerization or strict user permissions", "Monitor system CPU usage and set limits on processes that perform iconv operations to prevent accidental DoS"], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in musl libc versions up to 1.2.6 and impacts the \"iconv\" function in the GB18030 decoder component. It affects systems that compile or link against this version of musl, which includes many Linux distributions and embedded platforms relying on musl as the standard C library.", "description_and_impact": "A flaw in the GB18030 four\u2011byte decoder of musl libc allows local attackers to craft data that causes the iconv routine to exhibit excessive algorithmic complexity. The result is a practical denial\u2011of\u2011service condition, as processing the data consumes disproportionate CPU time. The weakness is aligned with CWE\u20111050 (Infinite Recursion), CWE\u2011404 (Improper Handling of File Paths), and CWE\u2011407 (Inefficient Algorithm).", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity, but the EPSS score below 1% and the lack of listing in the CISA KEV catalog suggest that exploitation is unlikely at present. Nevertheless, the problem requires local execution privileges, so any untrusted local user or compromised local process could trigger resource exhaustion. The risk is therefore primarily to availability rather than confidentiality or integrity."}}}}, "created": "2026-04-10T14:40:51.085499+00:00", "updated": "2026-04-14T16:36:34.507632+00:00", "vendors": ["musl", "musl$PRODUCT$libc"]}