CVE-2026-4046
Published: 30 March 2026
Summary
CVE-2026-4046 is a high-severity Reachable Assertion (CWE-617) vulnerability in Gnu Glibc. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of flaws in glibc versions 2.43 and earlier directly prevents the iconv() assertion failure crash from malicious IBM1390 or IBM1399 inputs.
Configuring systems to the least functionality by removing unnecessary IBM1390 and IBM1399 character sets prevents processing of inputs that trigger the glibc iconv() crash, as recommended in the advisory.
Establishing and implementing secure configuration settings for glibc excludes support for vulnerable IBM1390 and IBM1399 character sets, mitigating remote DoS exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS via assertion failure/crash in glibc iconv() when processing specific character set inputs, directly enabling T1499.004 (Application or System Exploitation) to deny service without code execution or other impacts.
NVD Description
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application. This vulnerability…
more
can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
Deeper analysisAI
CVE-2026-4046 affects the iconv() function in the GNU C Library (glibc) versions 2.43 and earlier. The vulnerability causes an assertion failure and subsequent crash when processing inputs from the IBM1390 or IBM1399 character sets, potentially leading to denial-of-service in applications that invoke iconv() for character conversion.
Attackers can exploit this remotely over the network with low complexity, requiring no privileges or user interaction, as indicated by the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Any unauthenticated remote attacker can supply malicious input to vulnerable applications using these character sets, achieving application crashes and high availability impact without affecting confidentiality or integrity.
Advisories recommend trivial mitigation by removing the IBM1390 and IBM1399 character sets from systems that do not require them, as detailed in the glibc security advisory (GLIBC-SA-2026-0007) and related Sourceware bugzilla entry. References include the libc-announce mailing list, bugzilla #33980, and the glibc git advisory blob.
Details
- CWE(s)