Cyber Resilience

CVE-2025-26519

High

Published: 14 February 2025

Published
14 February 2025
Modified
10 December 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0003 10.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26519 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Musl-Libc Musl. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-26519 is an out-of-bounds write vulnerability (CWE-787) in musl libc versions 0.9.13 through 1.2.5, prior to the release of version 1.2.6. The issue arises during iconv conversion of untrusted EUC-KR text to UTF-8, allowing memory corruption beyond allocated bounds. Affected systems include those using vulnerable musl libc builds, such as certain Linux distributions or embedded environments relying on this lightweight C standard library implementation.

The vulnerability requires local access (AV:L) with no privileges (PR:N) and high attack complexity (AC:H), but no user interaction (UI:N). A successful exploit changes scope (S:C), potentially granting high confidentiality (C:H) and integrity (I:H) impacts alongside low availability (A:L) disruption, for a CVSS v3.1 base score of 8.1. An attacker could trigger the iconv conversion with crafted EUC-KR input to overwrite adjacent memory, possibly leading to arbitrary code execution or denial of service depending on the context and mitigations in place.

Mitigation involves updating to musl libc 1.2.6, which addresses the flaw via patches documented in specific commits: c47ad25ea3b484e10326f933e927c0bc8cded3da and e5adcd97b5196e29991b524237381a0202a60659. Initial disclosure occurred on the oss-security mailing list on 2025-02-13, with discussions in threads at http://www.openwall.com/lists/oss-security/2025/02/13/2 and http://www.openwall.com/lists/oss-security/2025/02/13/3.

EU & UK References

Vulnerability details

musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The out-of-bounds write in musl libc iconv allows local exploitation with no privileges and scope change, directly enabling arbitrary code execution that can be leveraged for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-54509Shared CWE-787
CVE-2025-30273Shared CWE-787
CVE-2026-0124Shared CWE-787
CVE-2026-31401Shared CWE-787
CVE-2016-20044Shared CWE-787
CVE-2018-25265Shared CWE-787
CVE-2024-49738Shared CWE-787
CVE-2026-23343Shared CWE-787
CVE-2026-20432Shared CWE-787
CVE-2026-23092Shared CWE-787

Affected Assets

musl-libc
musl
0.9.13 — 1.2.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and remediation of flaws such as the out-of-bounds write in musl libc's iconv conversion of untrusted EUC-KR input.

prevent

Implements controls to protect against memory exploits like the out-of-bounds write vulnerability during iconv processing.

detect

Enables vulnerability scanning to identify systems affected by the musl libc out-of-bounds write vulnerability.

References