CVE-2026-4046

NameCVE-2026-4046
DescriptionThe iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)bullseye2.31-13+deb11u11vulnerable
bullseye (security)2.31-13+deb11u13vulnerable
bookworm2.36-9+deb12u13vulnerable
bookworm (security)2.36-9+deb12u7vulnerable
trixie2.41-12+deb13u2vulnerable
forky2.42-13vulnerable
sid2.42-14vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsource(unstable)(unfixed)

Notes

https://sourceware.org/git/?p=glibc.git;a=blob_plain;f=advisories/GLIBC-SA-2026-0007
Search for package or bug name: Reporting problems