Login Sign Up

CVE-2025-26519

8.1 HIGH

📋 TL;DR

This vulnerability in musl libc allows attackers to trigger an out-of-bounds write during EUC-KR to UTF-8 iconv conversion, potentially leading to memory corruption and arbitrary code execution. It affects systems using musl libc versions 0.9.13 through 1.2.5, including Alpine Linux and other lightweight Linux distributions.

💻 Affected Systems

Products:
  • musl libc
  • Alpine Linux
  • Docker containers using Alpine base images
  • Embedded Linux systems using musl
Versions: musl libc 0.9.13 through 1.2.5
Operating Systems: Alpine Linux and other distributions using musl libc
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing untrusted EUC-KR text through iconv conversion to UTF-8.

📦 What is this software?

Musl by Musl Libc

View all CVEs affecting Musl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes (denial of service) or limited memory corruption affecting specific processes.

🟢

If Mitigated

Contained process crashes with no privilege escalation if proper sandboxing and memory protections are enabled.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires specific conditions: attacker-controlled EUC-KR text being converted via iconv.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: musl libc 1.2.6

Vendor Advisory: https://www.openwall.com/lists/oss-security/2025/02/13/2

Restart Required: No

Instructions:

1. Update musl libc to version 1.2.6 or later. 2. For Alpine Linux: run 'apk update && apk upgrade musl'. 3. Rebuild any containers or applications using vulnerable musl versions.

🔧 Temporary Workarounds

Disable EUC-KR iconv conversion

all

Prevent processing of EUC-KR text through iconv if not required.

Input validation

all

Validate and sanitize all text input before iconv conversion.

🧯 If You Can't Patch

  • Implement strict input validation for all text conversion operations
  • Use application sandboxing/containerization to limit potential damage

🔍 How to Verify

Check if Vulnerable:

Check musl libc version: 'ldd --version' or 'musl-gcc --version'

Check Version:

ldd --version 2>&1 | grep -i musl

Verify Fix Applied:

Verify musl version is 1.2.6 or later using version check command

📡 Detection & Monitoring

Log Indicators:

  • Application crashes during text conversion
  • Segmentation faults in processes using iconv

Network Indicators:

  • Unusual EUC-KR encoded traffic to applications

SIEM Query:

process:crash AND (iconv OR musl OR text_conversion)

📊 Metadata

CVE ID: CVE-2025-26519
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-787
EPSS Score: 0.02% exploit probability (5.3th percentile)
Published: February 14, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26519, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)