7.5 CVE-2026-4046

Enriched by CISA

The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
https://nvd.nist.gov/vuln/detail/CVE-2026-4046

Categories

CWE-617 : Reachable Assertion
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources) Perform input validation on user data. API server for LLM library can crash when provided an empty prompt, which triggers a reachable assertion Chain: function in web caching proxy does not correctly check a return value (CWE-253) leading to a reachable assertion (CWE-617) FTP server allows remote attackers to cause a denial of service (daemon abort) via crafted commands which trigger an assertion failure. Chat client allows remote attackers to cause a denial of service (crash) via a long message string when connecting to a server, which causes an assertion failure. Product allows remote attackers to cause a denial of service (daemon crash) via LDAP BIND requests with long authcid names, which triggers an assertion failure. Product allows remote attackers to cause a denial of service (crash) via certain queries, which cause an assertion failure. Chain: security monitoring product has an off-by-one error that leads to unexpected length values, triggering an assertion. Anti-virus product has assert error when line length is non-numeric.

References

3ff69d7a-14f2-4f67-a097-88dee7810d18

https://sourceware.org/bugzilla/show_bug.cgi?id=33980
https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-20...

AFFECTED (from MITRE)

Vendor	Product	Versions
The GNU C Library	glibc	2.3.3 < * [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee