Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAD04+wjxELttyk3eqnVv8paq4Bpi9L3mQ1nP=xH=8WA1rTO97Q@mail.gmail.com>
Date: Fri, 23 Jan 2026 10:49:29 -0500
From: Richard Howe <rhowe425@...il.com>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: denial-of-service issue in musl’s iconv implementation

Yes it is.

The bug that I discovered is triggered by a specially crafted input to
iconv(), which causes an assertion failure in iconv/skeleton.c (outbuf ==
outerr). The application terminates with a controlled abort when processing
this input. The resulting impact is DoS only. No code execution or memory
corruption beyond the assertion is observed.

CVE-2025-26519 involves memory corruption in iconv() that can lead to *remote
code execution*. This bug bypasses musl's assertion checks (or exists in a
completely separate code path) resulting in memory corruption / code
execution. The triggering input, mechanism, and potential impact are all
different. Consequently, this bug warrants a separate CVE entry focused on
process termination (DoS) rather than code execution.


On Fri, Jan 23, 2026 at 10:40 AM Rich Felker <dalias@...c.org> wrote:

> On Fri, Jan 23, 2026 at 10:17:51AM -0500, Richard Howe wrote:
> > Hello,
> >
> > I am reporting a denial-of-service issue in musl’s iconv implementation.
> > Summary
>
> Is this distinct from CVE-2025-26519?
>
> https://www.openwall.com/lists/musl/2025/02/13/1
>
>
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.