CVE-2025-26519

CVE-2025-26519 is an out-of-bounds write vulnerability (CWE-787) in musl libc versions 0.9.13 through 1.2.5, prior to the release of version 1.2.6. The issue arises during iconv conversion of untrusted EUC-KR text to UTF-8, allowing memory corruption beyond allocated bounds. Affected systems include those using vulnerable musl libc builds, such as certain Linux distributions or embedded environments relying on this lightweight C standard library implementation.

The vulnerability requires local access (AV:L) with no privileges (PR:N) and high attack complexity (AC:H), but no user interaction (UI:N). A successful exploit changes scope (S:C), potentially granting high confidentiality (C:H) and integrity (I:H) impacts alongside low availability (A:L) disruption, for a CVSS v3.1 base score of 8.1. An attacker could trigger the iconv conversion with crafted EUC-KR input to overwrite adjacent memory, possibly leading to arbitrary code execution or denial of service depending on the context and mitigations in place.

Mitigation involves updating to musl libc 1.2.6, which addresses the flaw via patches documented in specific commits: c47ad25ea3b484e10326f933e927c0bc8cded3da and e5adcd97b5196e29991b524237381a0202a60659. Initial disclosure occurred on the oss-security mailing list on 2025-02-13, with discussions in threads at http://www.openwall.com/lists/oss-security/2025/02/13/2 and http://www.openwall.com/lists/oss-security/2025/02/13/3.