This exploit write-up features #musl 1.1.24, whose oldmalloc (dlmalloc-like) was used to convert the exploitable bug in the application into an arbitrary write primitive.
musl 1.2.1 or later, with mallocng, would probably have rendered this non-exploitable or would have at least required non-malloc-based approaches to exploiting the initial application bug.
SECURITY ADVISORY: musl libc up through 1.2.6 (present version) is affected by CVE-2026-40200 affecting qsort with large arrays.
Unless you have a setup with at least tens of terrabytes of virtual memory, this does not affect 64-bit systems, only 32-bit ones. But all users should patch.
An issue has been reported in musl libc's iconv decoder for GB18030 (Chinese) character encoding, whereby performance for decoding certain characters is pathologically bad, allowing DoS in processes handling untrusted data in this encoding or with encoding declared by the input.
The researcher who found the issue has applied for a CVE but it has not yet been assigned: https://www.openwall.com/lists/oss-security/2026/04/02/10
Fix is now available in the musl git repository, and as a patch that may be downloaded and applied to 1.2.6 or any older version: https://git.musl-libc.org/cgit/musl/patch/?id=67219f0130ec7c876ac0b299046460fad31caabf
Things #musl libc will never do (broad but not comprehensive):
- Nag you to update.
- Phone home to check it if should nag you to update.
- Tell you a CVE can't be fixed without updating to the latest version.
- Try to force you to switch from glibc to musl.
- Get other software you depend on dependent on musl.
- Rant against "wokeness" or "DEI".
- Integrate "AI" into your libc.
- Give you up.
- Let you down.
Addendum to "things #musl libc will never do":
- Request your age, date of birth, or proof of identity or attempt to report it to applications.
musl 1.2.6 is now available.
For details see the release announcement on the mailing list: https://www.openwall.com/lists/musl/2026/03/20/1
Source link: https://musl.libc.org/releases/musl-1.2.6.tar.gz
Detailed WHATSNEW: https://git.musl-libc.org/cgit/musl/tree/WHATSNEW?id=v1.2.6#n2444
The public key fingerprint for #musl release signatures is:
8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F
Republishing this here now for the first time since our move to Treehouse, to follow a past practice for redundancy of sources of trust.
While this bug has not been present in any release version, the latest commit to git-master has fixed a buffer overflow in floating point printf introduced in this release cycle: https://git.musl-libc.org/cgit/musl/commit/?id=0ccaf0572e9cccda2cced0f7ee659af4c1c6679a
Only archs with IEEE-quad long double seem to be affected, and only when using the %Le, %Lf, or %Lg format specifier with particular combinations of exponent and mantissa value.
If you are using musl from git master, it's recommended either to upgrade to latest or apply the patch from the above commit.
While this bug has not been present in any release version, the latest commit to git-master has fixed a buffer overflow in floating point printf introduced in this release cycle: https://git.musl-libc.org/cgit/musl/commit/?id=0ccaf0572e9cccda2cced0f7ee659af4c1c6679a
Only archs with IEEE-quad long double seem to be affected, and only when using the %Le, %Lf, or %Lg format specifier with particular combinations of exponent and mantissa value.
If you are using musl from git master, it's recommended either to upgrade to latest or apply the patch from the above commit.
Traffic down from about 40 GB/day to about 15 GB/day.
This is still orders of magnitude more than is reasonable for a piece of software whose source tree is about 1 MB compressed and whose entire git repo is about 7.5 MB.
Destroy-the-world-every-time CI is a menace.
Cassandrich