CVE-2026-6042
Algorithmic Complexity Vulnerability in musl libc GB18030 Decoder
Publication date: 2026-04-10
Last updated on: 2026-04-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| musl | libc | to 1.2.6 (inc) |
| musl | libc | From 0.8.0 (inc) to 1.2.6 (inc) |
| musl | libc | 1.2.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6042 is a performance vulnerability in musl libc's iconv() function, specifically in the GB18030 4-byte decoder. The decoder contains a gap-skipping loop that performs a full linear scan of a large lookup table with 23,940 entries on each iteration of an outer loop. For certain crafted 4-byte sequences, this outer loop executes about 20,905 times, resulting in roughly 500 million comparisons per input character.
This inefficient algorithmic complexity causes a severe slowdown when decoding these crafted sequences, leading to excessive CPU usage and a denial-of-service condition. For example, decoding a single crafted 4-byte input character can take approximately 260 milliseconds compared to about 13 microseconds for a normal character, a slowdown factor of 19,000 times.
The vulnerability affects musl libc versions from 0.8.0 up to 1.2.6 and was fixed by replacing the inefficient linear scan with a more efficient lookup using a smaller auxiliary table, eliminating the costly nested loops.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a significant performance degradation when musl libc's iconv() function decodes certain crafted GB18030 4-byte sequences, causing excessive CPU usage.
Detection can be performed by monitoring CPU usage spikes on services that use musl libc's iconv() for character encoding conversion, especially when processing GB18030 encoded data.
A practical test involves decoding a crafted GB18030 4-byte input character (for example, bytes 0x82 0x35 0x8F 0x33) using the affected musl libc version and measuring the time taken. A slowdown factor of about 19,000x compared to benign input indicates the vulnerability.
While no explicit commands are provided in the resources, you can use tools like strace or perf to monitor CPU usage of processes using iconv, or write a small test program that uses iconv() to decode the crafted input and measure execution time.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate mitigation is to deploy the patch provided by the musl libc maintainer that fixes the inefficient algorithm in the GB18030 4-byte decoder.
This patch replaces the costly nested loops scanning the large gb18030126 lookup table with a more efficient loop over a smaller auxiliary array, eliminating the performance bottleneck.
Until the patch can be applied, consider limiting or filtering GB18030 encoded input to services using musl libc's iconv() to reduce the risk of denial-of-service via crafted payloads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability can be exploited by an attacker to cause a denial of service (DoS) through CPU exhaustion. By sending a specially crafted GB18030 encoded payload to any network service that uses musl libc's iconv() for character encoding conversion, the attacker can trigger the inefficient decoding process.
The excessive CPU usage caused by decoding these crafted sequences can significantly degrade system performance or make the service unresponsive, potentially leading to downtime or disruption of service availability.