Crash via iconv() in glibc <=2.43 with IBM139x charsets
CVE-2026-4046 Published on March 30, 2026

iconv crash due to assertion failure with untrusted input
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.

NVD

Vulnerability Analysis

CVE-2026-4046 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Weakness Type

What is an assertion failure Vulnerability?

The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

CVE-2026-4046 has been classified to as an assertion failure vulnerability or weakness.


Products Associated with CVE-2026-4046

Want to know whenever a new CVE is published for GNU Glibc? stack.watch will email you.

GNU Glibc
 

Affected Versions

The GNU C Library glibc:

Exploit Probability

EPSS
0.05%
Percentile
14.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.