CVE-2026-4046 · The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IB

01 · The Real Story

Like a fire alarm wired to one obscure room, it is loud when triggered but absent from most buildings

CVE-2026-4046 is a reachable assertion in glibc iconv() when converting attacker-controlled input from the IBM1390 or IBM1399 character sets. Upstream describes GNU C Library 2.43 and earlier as affected, with downstream fixes/backports starting to appear in vendor package streams rather than only in a clean major-version jump. Practically, this only matters where an application accepts untrusted text, allows or infers one of those source encodings, and then actually routes that data through iconv() on a host that still has those gconv modules installed.

The vendor's HIGH 7.5 CVSS is technically defensible in a vacuum because the end state is unauthenticated remote process termination. In enterprise reality, though, the reachable population is much narrower: IBM1390/IBM1399 are niche encodings, many apps normalize to UTF-8 long before iconv() sees user input, and removing the two charsets is a trivial compensating control. That combination pushes this down to a middle-queue denial-of-service issue, not an all-hands emergency.

"This is a real crash bug, but only for apps that expose rare IBM139x charset conversion paths to attackers."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach a text-processing path

The attacker uses a client like curl, Burp Repeater, or a bespoke HTTP/SMPP/mail payload generator to hit an application feature that ingests untrusted text and performs charset conversion. The bug is in glibc, but it is only attacker-reachable through the calling application's parsing and conversion logic, not by merely being installed on a Linux host (NVD).

Conditions required:

Unauthenticated or low-friction remote access to an application endpoint
The application must process attacker-controlled text
The application must invoke iconv() or a wrapper around it

Where this breaks in practice:

Most enterprise apps do not expose arbitrary source-charset selection to users
Many modern stacks normalize to UTF-8 before reaching glibc conversion modules

Detection/coverage: Static host scanners will flag vulnerable glibc versions, but they usually cannot prove that a specific application exposes the vulnerable conversion path.

STEP 02

Force the rare IBM139x path

The attacker must cause conversion from IBM1390 or IBM1399, the two upstream-identified problematic encodings. A practical tool here is a custom request generator or test harness that sets charset metadata or embeds payloads in workflows that preserve source encoding labels (NVD, Fedora changelog).

Conditions required:

The target workflow must honor or infer IBM1390 or IBM1399 input
The relevant gconv modules must be installed on the host

Where this breaks in practice:

IBM1390 and IBM1399 are niche encodings rarely used in typical web, API, or SaaS deployments
Hosts that do not ship the modules, or that remove them, break this path completely

Detection/coverage: Inventory can look for IBM1390 and IBM1399 entries under gconv-modules; network detection is weak because the trigger usually hides inside legitimate application traffic.

STEP 03

Trigger the assertion

With the vulnerable path reached, the attacker sends malformed input that drives iconv() into an assertion failure. Upstream fix notes describe the remediation as using pending character state in the affected IBM charset handlers, which strongly indicates a parser-state edge case rather than a broad memory-corruption primitive (Fedora changelog).

Conditions required:

A payload that exercises the vulnerable state transition
A vulnerable upstream or unbackported downstream build

Where this breaks in practice:

The impact is process abort, not code execution
Attackers still need the exact app path to stay reachable end to end

Detection/coverage: Look for SIGABRT, assert messages, coredumps, service restarts, and application 5xx spikes around input-conversion code paths.

STEP 04

Convert app crash into service impact

The result is denial of service against the affected worker, process, or service instance. A weaponized loop with curl, ab, or custom scripts can repeatedly retrigger the crash, but modern supervisors, containers, and load balancers usually constrain blast radius to the exposed application tier rather than the whole estate.

Conditions required:

The service must lack sufficient restart throttling or upstream request filtering
Repeated requests must continue reaching the same vulnerable code path

Where this breaks in practice:

Systemd, Kubernetes, and app supervisors often auto-restart the crashed process
Rate limits, WAFs, and queue isolation reduce sustained outage potential

Detection/coverage: Operational monitoring will usually see restart storms faster than security tooling; external scanners cannot directly observe whether the encoding-specific path is exposed.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No current evidence of active exploitation found in the sources reviewed, and not listed in CISA KEV as of this assessment (KEV catalog).
Proof-of-concept availability	I did not find a high-confidence public GitHub exploit repo from a primary source. However, Tenable's plugin changelog marks exploit maturity as `E:POC`, which suggests proof-of-concept code exists in circulation even if it is not prominently indexed (Tenable plugin 304363).
EPSS	User-supplied EPSS is 0.0008. Downstream feeds place it roughly in the low percentile band as well, reinforcing that this is not attracting broad exploitation attention (Snyk Ubuntu page).
KEV status	Not KEV-listed. No CISA due date, no known-ransomware note, and no public exploitation mandate signal from KEV.
CVSS vector reality check	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` captures the raw crash potential, but it overstates reachable population because it assumes any network path to a glibc host can trigger the bug. In reality, the attacker needs a specific application behavior plus rare charset support.
Affected versions	Upstream/NVD describe GNU C Library 2.43 and earlier as affected. The vulnerable path is specifically conversion from `IBM1390` or `IBM1399` (NVD).
Fixed versions	Upstream fix text appears in Fedora rawhide as `Use pending character state in IBM1390, IBM1399 character sets (CVE-2026-4046)` by 2026-04-22; distro backports include examples like SUSE `glibc >= 2.31-150300.101.1` and Wolfi/Snyk package streams fixed at `2.43-r6` or later depending on distro packaging (Fedora rawhide, SUSE, Snyk Wolfi package page).
Scanning and exposure data	There is no meaningful direct Shodan/Censys/GreyNoise exposure metric for this CVE because `glibc` is a library, not an Internet-facing service banner. Exposure must be inferred from application behavior, package inventory, and presence of the affected gconv modules rather than internet-wide scans.
Disclosure timeline	Published 2026-03-30 by the GNU C Library project; NVD shows later modifications through 2026-04-20 (NVD).
Reporting / owning org	The CVE source is GNU C Library. Publicly accessible secondary references consistently tie the issue to sourceware bug 33980 / GLIBC-SA-2026-0007, but I could not independently confirm an individual finder name from a primary source due sourceware anti-bot blocking.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (4.8/10)

The decisive downgrade factor is reachability friction: attackers do not get a generic remote DoS against every Linux host with glibc; they need an application that exposes attacker-controlled charset conversion specifically through IBM1390 or IBM1399. That sharply narrows the exposed population, even though the crash itself is easy once the right path exists.

HIGH Technical impact is denial of service only

MEDIUM Enterprise-wide reachable population is limited by app behavior and charset usage

MEDIUM Exploit maturity assessment beyond public references

Why this verdict

Down from 7.5 because the network precondition is misleading: the vulnerable component is a library, so 'AV:N' only materializes when a front-end application accepts untrusted text and passes it into iconv().
Down again because the attacker must hit rare encodings: IBM1390 and IBM1399 are niche character sets, not common web or API defaults, which cuts the reachable population hard.
Down again because the blast radius is usually one service tier: this is a process-abort DoS, and modern supervisors, containers, and load balancers often restart or isolate the failure.
Kept above LOW because the path can still be unauthenticated and remotely triggerable on public text-processing services that preserve charset negotiation or legacy conversion workflows.
Kept below HIGH because there is no strong exploitation pressure: no KEV listing, very low EPSS, and no solid evidence of widespread scanning or operational abuse.

Why not higher?

There is no code execution, privilege gain, or data exposure here. More importantly, the attack chain depends on a niche application condition set: attacker-controlled charset conversion, presence of IBM1390/IBM1399, and an exposed service path that does not normalize to safer encodings first.

Why not lower?

This is still a real unauthenticated remote crash when the vulnerable path exists, and glibc sits under a lot of software. If you run internet-facing mail, content ingestion, document processing, or legacy data-conversion workflows, the bug can be operationally noisy enough to deserve more than backlog trivia.

05 · Compensating Control

What to do — in priority order.

Remove unused IBM1390 and IBM1399 gconv modules — If your environment does not legitimately process these charsets, remove or exclude the relevant gconv support so the vulnerable conversion path does not exist. For a MEDIUM verdict there is no mitigation SLA; do this in the next normal change window while still aiming to complete permanent remediation within 365 days.
Constrain accepted source encodings — At the application, gateway, or parsing layer, enforce an allowlist such as UTF-8 and other business-required encodings only. This is the highest-value control where applications accept uploaded files, email bodies, or charset-declared text; again, no mitigation SLA applies for MEDIUM, so fold it into routine engineering changes.
Monitor for abort-and-restart loops — Add alerts for SIGABRT, coredumps, repeated worker exits, and restart storms on services that perform charset conversion. This will not remove the bug, but it reduces mean time to containment if a reachable edge case is exercised before patching.
Prioritize exposure-driven patching — Patch hosts that back public-facing text ingestion and legacy conversion services first, then broader fleet maintenance later. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window, but exposed conversion services should be moved to the front of that queue.

What doesn't work

MFA does nothing here; the interesting paths are often unauthenticated content-processing endpoints.
Kernel hardening or SELinux does not stop the crash condition in iconv(); it may limit secondary effects, but the process can still abort.
Generic perimeter IPS signatures are weak coverage because the trigger depends on app-specific payload handling and rare charset negotiation, not a clean one-packet network fingerprint.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host as a regular user; root is only helpful if your package-manager metadata is restricted. Save it as check-cve-2026-4046.sh and run bash check-cve-2026-4046.sh. It checks the installed glibc version, looks for IBM1390/IBM1399 converter support, and uses distro changelog/package hints where available to avoid false positives from backports.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-4046.sh
# Detect likely exposure to CVE-2026-4046 on Linux/glibc hosts.
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

say() { printf '%s\n' "$*"; }

version_le() {
  # returns 0 if $1 <= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" = "$1" ]
}

version_gt() {
  # returns 0 if $1 > $2
  ! version_le "$1" "$2"
}

get_glibc_ver() {
  local v=""
  if command -v getconf >/dev/null 2>&1; then
    v=$(getconf GNU_LIBC_VERSION 2>/dev/null | awk '{print $2}')
  fi
  if [ -z "$v" ] && command -v ldd >/dev/null 2>&1; then
    v=$(ldd --version 2>/dev/null | head -n1 | grep -Eo '[0-9]+\.[0-9]+' | head -n1)
  fi
  printf '%s' "$v"
}

has_ibm139x_modules() {
  local paths
  paths=$(find /usr/lib* /lib* -maxdepth 3 \( -name 'gconv-modules' -o -name 'gconv-modules.d' \) 2>/dev/null)
  if [ -z "$paths" ]; then
    return 1
  fi
  if grep -RqsE 'IBM1390|IBM1399' $paths 2>/dev/null; then
    return 0
  fi
  return 1
}

rpm_backport_fixed() {
  if ! command -v rpm >/dev/null 2>&1; then
    return 1
  fi

  # SUSE-style fixed floor seen in vendor advisory
  local nvra
  nvra=$(rpm -q --qf '%{NAME} %{VERSION}-%{RELEASE}\n' glibc 2>/dev/null || true)
  if printf '%s\n' "$nvra" | grep -q ' 2\.31-150300\.101\.1'; then
    return 0
  fi

  # Fedora/rawhide and other RPM backports often leave breadcrumbs in changelog
  if rpm -q --changelog glibc-common 2>/dev/null | grep -qiE 'CVE-2026-4046|IBM1390, IBM1399 character sets'; then
    return 0
  fi
  if rpm -q --changelog glibc 2>/dev/null | grep -qiE 'CVE-2026-4046|IBM1390, IBM1399 character sets'; then
    return 0
  fi
  return 1
}

dpkg_backport_fixed() {
  if ! command -v dpkg-query >/dev/null 2>&1; then
    return 1
  fi

  # No universal Debian/Ubuntu fixed floor could be asserted from the reviewed primary sources.
  # If a maintainer changelog mentions the CVE explicitly, trust it.
  if command -v zgrep >/dev/null 2>&1; then
    if zgrep -qi 'CVE-2026-4046' /usr/share/doc/libc6/changelog.Debian.gz 2>/dev/null; then
      return 0
    fi
  fi
  return 1
}

main() {
  local glibc_ver
  glibc_ver=$(get_glibc_ver)

  if [ -z "$glibc_ver" ]; then
    say 'UNKNOWN: could not determine glibc version'
    exit 2
  fi

  if rpm_backport_fixed; then
    say "PATCHED: distro backport evidence found for CVE-2026-4046"
    exit 0
  fi

  if dpkg_backport_fixed; then
    say "PATCHED: distro changelog indicates CVE-2026-4046 fix"
    exit 0
  fi

  if ! has_ibm139x_modules; then
    say "PATCHED: IBM1390/IBM1399 gconv modules not present, vulnerable path not reachable on this host"
    exit 0
  fi

  if version_gt "$glibc_ver" '2.43'; then
    say "PATCHED: glibc version $glibc_ver is newer than 2.43"
    exit 0
  fi

  if version_le "$glibc_ver" '2.43'; then
    say "VULNERABLE: glibc $glibc_ver with IBM1390/IBM1399 converters present"
    exit 1
  fi

  say "UNKNOWN: unable to reach a confident conclusion"
  exit 2
}

main "$@"

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat this like a fleet-wide fire drill: identify the smaller set of internet-facing or business-critical services that actually perform attacker-influenced charset conversion, then remove IBM1390/IBM1399 support where unused and patch those systems first. This lands at MEDIUM, so there is no noisgate mitigation SLA — go straight to the 365-day remediation window; under the noisgate remediation SLA, complete vendor patching/backported package uptake within 365 days, with any public text-ingestion services pulled forward inside normal maintenance because they are the only place this bug is likely to matter.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.