CVE-2025-26519
Published: 14 February 2025
Summary
CVE-2025-26519 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Musl-Libc Musl. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-26519 is an out-of-bounds write vulnerability (CWE-787) in musl libc versions 0.9.13 through 1.2.5, prior to the release of version 1.2.6. The issue arises during iconv conversion of untrusted EUC-KR text to UTF-8, allowing memory corruption beyond allocated bounds. Affected systems include those using vulnerable musl libc builds, such as certain Linux distributions or embedded environments relying on this lightweight C standard library implementation.
The vulnerability requires local access (AV:L) with no privileges (PR:N) and high attack complexity (AC:H), but no user interaction (UI:N). A successful exploit changes scope (S:C), potentially granting high confidentiality (C:H) and integrity (I:H) impacts alongside low availability (A:L) disruption, for a CVSS v3.1 base score of 8.1. An attacker could trigger the iconv conversion with crafted EUC-KR input to overwrite adjacent memory, possibly leading to arbitrary code execution or denial of service depending on the context and mitigations in place.
Mitigation involves updating to musl libc 1.2.6, which addresses the flaw via patches documented in specific commits: c47ad25ea3b484e10326f933e927c0bc8cded3da and e5adcd97b5196e29991b524237381a0202a60659. Initial disclosure occurred on the oss-security mailing list on 2025-02-13, with discussions in threads at http://www.openwall.com/lists/oss-security/2025/02/13/2 and http://www.openwall.com/lists/oss-security/2025/02/13/3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4206
Vulnerability details
musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds write in musl libc iconv allows local exploitation with no privileges and scope change, directly enabling arbitrary code execution that can be leveraged for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and remediation of flaws such as the out-of-bounds write in musl libc's iconv conversion of untrusted EUC-KR input.
Implements controls to protect against memory exploits like the out-of-bounds write vulnerability during iconv processing.
Enables vulnerability scanning to identify systems affected by the musl libc out-of-bounds write vulnerability.