{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4046", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "state": "PUBLISHED", "assignerShortName": "glibc", "dateReserved": "2026-03-12T10:12:32.994Z", "datePublished": "2026-03-30T17:16:11.021Z", "dateUpdated": "2026-03-30T17:37:52.633Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "glibc", "vendor": "The GNU C Library", "versions": [{"lessThan": "*", "status": "affected", "version": "2.3.3", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rocket Ma"}], "datePublic": "2026-03-12T09:02:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n<br>\n<br>This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.\n<br>"}], "value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "CWE-617 Reachable assertion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-03-30T17:37:52.633Z"}, "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33980"}, {"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"}], "source": {"discovery": "UNKNOWN"}, "title": "iconv crash due to assertion failure with untrusted input", "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T17:33:59.227677Z", "id": "CVE-2026-4046", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T17:35:48.736Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4046", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T17:33:59.227677Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T17:35:44.684Z"}}], "cna": {"title": "iconv crash due to assertion failure with untrusted input", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Rocket Ma"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "affected": [{"vendor": "The GNU C Library", "product": "glibc", "versions": [{"status": "affected", "version": "2.3.3", "lessThan": "*", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-12T09:02:00.000Z", "references": [{"url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33980"}, {"url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.", "supportingMedia": [{"type": "text/html", "value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n<br>\n<br>This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.\n<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617 Reachable assertion"}]}], "providerMetadata": {"orgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "shortName": "glibc", "dateUpdated": "2026-03-30T17:37:52.633Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4046", "state": "PUBLISHED", "dateUpdated": "2026-03-30T17:37:52.633Z", "dateReserved": "2026-03-12T10:12:32.994Z", "assignerOrgId": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "datePublished": "2026-03-30T17:16:11.021Z", "assignerShortName": "glibc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.\n\n\n\nThis vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them."}, {"lang": "es", "value": "La funci\u00f3n iconv() en la Biblioteca C de GNU versiones 2.43 y anteriores puede colapsar debido a un fallo de aserci\u00f3n al convertir entradas de los conjuntos de caracteres IBM1390 o IBM1399, lo que puede ser utilizado para colapsar una aplicaci\u00f3n de forma remota.\n\nEsta vulnerabilidad puede mitigarse trivialmente al eliminar los conjuntos de caracteres IBM1390 e IBM1399 de los sistemas que no los necesiten."}], "id": "CVE-2026-4046", "lastModified": "2026-04-01T14:24:21.833", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-30T18:16:19.573", "references": [{"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://sourceware.org/bugzilla/show_bug.cgi?id=33980"}, {"source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "url": "https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"}], "sourceIdentifier": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "3ff69d7a-14f2-4f67-a097-88dee7810d18", "type": "Secondary"}]}

{"bugzilla": {"description": "glibc: glibc: Denial of Service via iconv() function with specific character sets", "id": "2453117", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453117"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-617", "details": ["A flaw was found in glibc, the GNU C Library. A remote attacker could exploit this vulnerability by providing specially crafted inputs using the IBM1390 or IBM1399 character sets to the `iconv()` function. This could lead to an assertion failure, causing the application to crash and resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4046", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-30T17:16:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4046\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4046\nhttps://sourceware.org/bugzilla/show_bug.cgi?id=33980\nhttps://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007;hb=HEAD"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.3.3,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glibc", "source": "cna", "vendor": "The GNU C Library"}, "product": "glibc", "vendor": "the_gnu_c_library"}], "analysis": {"en": {"generated_at": "2026-03-30T19:50:53.795960+00:00", "value": {"mitigation_remediation": ["Remove the IBM1390 and IBM1399 character sets from glibc on systems that do not need them.", "Ensure that applications and services do not accept or process untrusted input that will be converted by iconv with these character sets enabled.", "Upgrade glibc to a newer version when a vendor patch that fixes the assertion failure is released.", "Keep monitoring official glibc advisories for updates or additional mitigation guidance."], "summary": {"action": "Apply Workaround", "impact": "Application Crash via iconv Assertion Failure (Denial of Service)"}, "threat_synthesis": {"affected_systems": "All systems or applications that link against glibc 2.43 or older and use iconv to convert data involving the IBM1390 or IBM1399 character sets are affected. This includes any Linux distribution that shipped glibc 2.43 or earlier and has these character sets enabled. Any service or user\u2011land application that accepts untrusted input that passes through iconv with these character sets may be vulnerable.", "description_and_impact": "The iconv() function in GNU C Library (glibc) versions 2.43 and earlier may crash when converting input from the IBM1390 or IBM1399 character sets. According to the advisory, an internal assertion failure is triggered during the conversion process, causing the application that called iconv to terminate. The crash is a direct result of the assertion fault, not a separate fault or memory corruption was not claimed in the description. The vulnerability is a denial\u2011of\u2011service type flaw and is identified as CWE\u2011617.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity vulnerability. No EPSS score is reported, and the vulnerability is not listed in CISA\u2019s KEV catalog. The advisory states the crash can be triggered by remote input, implying a remote exploitation vector: a malicious actor can send crafted data over a network or file system input that is processed by iconv. Immediate remediation is suggested to prevent denial of service. The likelihood of exploitation is considered moderate to high due to the remote trigger and the absence of required local privileges in the description."}}}}, "created": "2026-03-30T20:55:23.527027+00:00", "updated": "2026-03-31T20:40:36.449775+00:00", "vendors": ["the_gnu_c_library", "the_gnu_c_library$PRODUCT$glibc"]}