A serious vulnerability has been discovered in musl libc, the lightweight C standard library often favored in embedded systems and resource-constrained environments. Tracked as CVE-2025-26519 (CVSS 8.1), this flaw could allow attackers to execute arbitrary code on vulnerable systems. The vulnerability stems from an input-controlled out-of-bounds write primitive within the iconv() function.
musl libc is a popular choice for its small footprint and focus on correctness, making this vulnerability particularly concerning due to its widespread use. The issue lies in how iconv() handles character encoding conversions, specifically when converting from EUC-KR to UTF-8. Nick Wellnhofer discovered the flaw, which exists due to a combination of improper input validation in the EUC-KR decoder and an assumption in the UTF-8 encoder that the input decoder always produces valid Unicode Scalar Values.
The CVE-2025-26519 vulnerability is triggered when an application uses iconv_open with UTF-8 as the output encoding and EUC-KR as the input encoding. Critically, the application must process untrusted input using the resulting conversion descriptor. A common scenario involves using the declared MIME charset of untrusted data (like in XML, HTML, or MIME-encoded email) as input to iconv_open for converting arbitrary-encoding input to UTF-8. An attacker could craft malicious input, exploiting the vulnerability to overwrite memory and potentially gain control of the affected system.
The vulnerable code has been present in musl libc since version 0.9.13, when EUC-KR support was introduced. All versions up to and including 1.2.5 are affected. Users are strongly advised to update to version 1.2.6 or later, which contains the necessary fixes.
For users of musl libc-based distributions, the recommended course of action is to obtain updated packages through their distribution’s official update channels. Source patches are also available for those who manage their own musl libc builds. These patches address both the root cause of the bug (incorrect input byte validation) and the escalation vector that leads to the out-of-bounds write.
In cases where updating or patching is difficult, particularly with statically linked binaries, a temporary workaround is available. This involves disabling EUC-KR support by modifying the binary using a hex editor. Specifically, the byte sequence “euckr\0ksc5601\0ksx1001\0cp949\0” should be replaced with “—–\0——-\0——-\0—–\0”. This effectively prevents iconv_open from recognizing EUC-KR and its aliases, thus avoiding the vulnerable code path. While this mitigates the immediate threat, it also disables EUC-KR decoding functionality.
This vulnerability poses a significant risk to systems using musl libc, especially those processing untrusted input. The potential for remote code execution makes it crucial for users to apply the provided mitigations as soon as possible. Users are encouraged to review their systems and ensure they are running a patched version of musl libc to protect against potential exploits.
