CVE-2026-6042
Received Received - Intake
Algorithmic Complexity Vulnerability in musl libc GB18030 Decoder

Publication date: 2026-04-10

Last updated on: 2026-04-10

Assigner: VulDB

Description
A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6042
EUVD
EUVD-2026-21354
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
musl libc to 1.2.6 (inc)
musl libc From 0.8.0 (inc) to 1.2.6 (inc)
musl libc 1.2.6
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6042 is a performance vulnerability in musl libc's iconv() function, specifically in the GB18030 4-byte decoder. The decoder contains a gap-skipping loop that performs a full linear scan of a large lookup table with 23,940 entries on each iteration of an outer loop. For certain crafted 4-byte sequences, this outer loop executes about 20,905 times, resulting in roughly 500 million comparisons per input character.

This inefficient algorithmic complexity causes a severe slowdown when decoding these crafted sequences, leading to excessive CPU usage and a denial-of-service condition. For example, decoding a single crafted 4-byte input character can take approximately 260 milliseconds compared to about 13 microseconds for a normal character, a slowdown factor of 19,000 times.

The vulnerability affects musl libc versions from 0.8.0 up to 1.2.6 and was fixed by replacing the inefficient linear scan with a more efficient lookup using a smaller auxiliary table, eliminating the costly nested loops.

Impact Analysis

This vulnerability can be exploited by an attacker to cause a denial of service (DoS) through CPU exhaustion. By sending a specially crafted GB18030 encoded payload to any network service that uses musl libc's iconv() for character encoding conversion, the attacker can trigger the inefficient decoding process.

The excessive CPU usage caused by decoding these crafted sequences can significantly degrade system performance or make the service unresponsive, potentially leading to downtime or disruption of service availability.

Detection Guidance

This vulnerability manifests as a significant performance degradation when musl libc's iconv() function decodes certain crafted GB18030 4-byte sequences, causing excessive CPU usage.

Detection can be performed by monitoring CPU usage spikes on services that use musl libc's iconv() for character encoding conversion, especially when processing GB18030 encoded data.

A practical test involves decoding a crafted GB18030 4-byte input character (for example, bytes 0x82 0x35 0x8F 0x33) using the affected musl libc version and measuring the time taken. A slowdown factor of about 19,000x compared to benign input indicates the vulnerability.

While no explicit commands are provided in the resources, you can use tools like strace or perf to monitor CPU usage of processes using iconv, or write a small test program that uses iconv() to decode the crafted input and measure execution time.

Mitigation Strategies

The recommended immediate mitigation is to deploy the patch provided by the musl libc maintainer that fixes the inefficient algorithm in the GB18030 4-byte decoder.

This patch replaces the costly nested loops scanning the large gb18030126 lookup table with a more efficient loop over a smaller auxiliary array, eliminating the performance bottleneck.

Until the patch can be applied, consider limiting or filtering GB18030 encoded input to services using musl libc's iconv() to reduce the risk of denial-of-service via crafted payloads.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart