CVE-2026-40200
Stack-Based Memory Corruption in musl libc qsort on Large Arrays
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| musl | libc | From 0.7.10 (inc) to 1.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40200 is a stack-based buffer overflow vulnerability in the musl libc library, specifically affecting the qsort function when sorting very large arrays on 32-bit systems.
The issue arises from a logic error in the implementation of double-word primitives used in the smoothsort algorithm, which relies on Leonardo numbers. This error causes incorrect bit counting and bit shifting operations, leading to corruption of internal data structures and ultimately a stack buffer overflow.
The vulnerability affects musl libc versions 0.7.10 through 1.2.6 and occurs when sorting arrays larger than about seven million elements on 32-bit platforms. On 64-bit platforms, the array size required to trigger the issue is impractically large.
How can this vulnerability impact me? :
On 32-bit systems, this vulnerability can cause a stack buffer overflow during the qsort operation on very large arrays, which can lead to application crashes.
More seriously, because the vulnerable code path involves indirect calls to a comparison function, an attacker might exploit this flaw to achieve arbitrary code execution despite stack protection mechanisms.
On 64-bit systems, practical exploitation is unlikely due to the extremely large array size required to trigger the vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects musl libc versions 0.7.10 through 1.2.6, specifically on 32-bit systems when qsort is used to sort very large arrays (exceeding about seven million elements). Detection involves verifying the musl libc version and architecture of your system.
- Check the musl libc version installed on your system to see if it falls within the vulnerable range (0.7.10 to 1.2.6).
- Determine if your system is running a 32-bit architecture, as the vulnerability is practically exploitable only on 32-bit platforms.
- Monitor or audit usage of qsort on very large arrays (over seven million elements) in your applications, as this is the trigger condition for the vulnerability.
Suggested commands to gather this information include:
- To check musl libc version: `ldd --version` or `musl-gcc --version` (depending on your system setup).
- To check system architecture: `uname -m` (expect output like 'i386', 'i686' for 32-bit).
- To identify processes or applications using musl libc, you may use `ldd` on binaries or check package manager info.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users running musl libc versions 0.7.10 through 1.2.6 on 32-bit systems should upgrade to a fixed version later than 1.2.6, such as version 1.2.7 once it is available.
If upgrading immediately is not possible, applying the patch provided by the musl libc maintainers that corrects the double-word primitive implementation in qsort is recommended.
Additionally, avoid sorting extremely large arrays (exceeding about seven million elements) with qsort on affected systems until the vulnerability is addressed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-40200 on compliance with common standards and regulations such as GDPR or HIPAA.