{"id":"CVE-2025-26519","details":"musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.","modified":"2026-04-12T15:44:30.354490Z","published":"2025-02-14T04:15:09.050Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/13/4"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/14/5"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/14/6"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2025/02/13/2"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/13/2"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/13/3"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2025/02/13/5"},{"type":"FIX","url":"https://git.musl-libc.org/cgit/musl/commit/?id=e5adcd97b5196e29991b524237381a0202a60659"},{"type":"FIX","url":"https://git.musl-libc.org/cgit/musl/commit/?id=c47ad25ea3b484e10326f933e927c0bc8cded3da"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.musl-libc.org/git/musl","events":[{"introduced":"d0f0fa484c5216710936715c176f67b3781e4b71"},{"fixed":"9fa28ece75d8a2191de7c5bb53bed224c5947417"},{"fixed":"c47ad25ea3b484e10326f933e927c0bc8cded3da"},{"fixed":"e5adcd97b5196e29991b524237381a0202a60659"}],"database_specific":{"versions":[{"introduced":"0.9.13"},{"fixed":"1.2.6"}]}}],"versions":["v0.9.13","v0.9.14","v0.9.15","v1.0.0","v1.1.0","v1.1.1","v1.1.10","v1.1.11","v1.1.12","v1.1.13","v1.1.14","v1.1.15","v1.1.16","v1.1.17","v1.1.18","v1.1.19","v1.1.2","v1.1.20","v1.1.21","v1.1.22","v1.1.23","v1.1.24","v1.1.3","v1.1.4","v1.1.5","v1.1.6","v1.1.7","v1.1.8","v1.1.9","v1.2.0","v1.2.1","v1.2.2","v1.2.3","v1.2.4","v1.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-26519.json","vanir_signatures_modified":"2026-04-12T15:44:30Z","vanir_signatures":[{"source":"https://git.musl-libc.org/git/musl@e5adcd97b5196e29991b524237381a0202a60659","signature_type":"Function","target":{"function":"iconv","file":"src/locale/iconv.c"},"signature_version":"v1","digest":{"function_hash":"93419066010476125232935541587925431376","length":11159},"id":"CVE-2025-26519-018d6cac","deprecated":false},{"source":"https://git.musl-libc.org/git/musl@c47ad25ea3b484e10326f933e927c0bc8cded3da","signature_type":"Function","target":{"function":"iconv","file":"src/locale/iconv.c"},"signature_version":"v1","digest":{"function_hash":"167809337656710166781439122833321772026","length":11167},"id":"CVE-2025-26519-4d9c4667","deprecated":false},{"source":"https://git.musl-libc.org/git/musl@e5adcd97b5196e29991b524237381a0202a60659","signature_type":"Line","target":{"file":"src/locale/iconv.c"},"signature_version":"v1","digest":{"line_hashes":["129306248461741217178475625607907061982","255163811664769576354929690911416551658","197971057117161259549704318582357211451","2381129348957302750695086902723883393"],"threshold":0.9},"id":"CVE-2025-26519-eaf2b425","deprecated":false},{"source":"https://git.musl-libc.org/git/musl@c47ad25ea3b484e10326f933e927c0bc8cded3da","signature_type":"Line","target":{"file":"src/locale/iconv.c"},"signature_version":"v1","digest":{"line_hashes":["68640536640438550437011154975415953180","255003065411938373494259616672361207301","144306552937797799478204467318652076715","125054553382242497022687901941500091595"],"threshold":0.9},"id":"CVE-2025-26519-fdb73675","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}