-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:49.iconv Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in iconv(3)
Category: core
Module: iconv
Announced: 2026-06-30
Credits: Nick Wellnhofer
Credits: Mark Johnston
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-30 17:20:21 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:22:10 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:40 UTC (releng/15.0, 15.0-RELEASE-p11)
2026-06-30 17:20:02 UTC (stable/14, 14.4-STABLE)
2026-06-30 17:21:12 UTC (releng/14.4, 14.4-RELEASE-p7)
2026-06-30 17:20:46 UTC (releng/14.3, 14.3-RELEASE-p16)
CVE Name: CVE-2026-58081, CVE-2026-58082
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
iconv(3) converts text between character encodings. It is implemented
as a set of loadable encoding modules in the C library, and is used by
many applications and libraries to process internationalized text.
II. Problem Description
Several encoding modules, including HZ, UTF-7, VIQR, and ZW, did not
properly check the size of the caller-supplied output buffer before
writing converted characters. [CVE-2026-58081]
The ISO-2022 encoding module used a stack buffer sized to MB_LEN_MAX
(6 bytes) for intermediate character output. Some ISO-2022 variants
can require up to 10 bytes per character, in which case conversions
can trigger a stack buffer overflow of up to four bytes. [CVE-2026-58082]
III. Impact
An application that uses iconv(3) to convert untrusted input to or
from one of the affected encodings may be vulnerable to buffer overflows
if it uses one of the affected encoding modules.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Restart all applications that use iconv(3), or reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:49/iconv.patch
# fetch https://security.FreeBSD.org/patches/SA-26:49/iconv.patch.asc
# gpg --verify iconv.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart all daemons that use the library, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 034e21efa19d stable/15-n284336
releng/15.1/ 6b2dad9fe87d releng/15.1-n283581
releng/15.0/ 2ac85d131d91 releng/15.0-n281085
stable/14/ d62d0b6586a8 stable/14-n274461
releng/14.4/ b819674449de releng/14.4-n273745
releng/14.3/ 32f296b69571 releng/14.3-n271545
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEElkbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvlQ0QAIUrLFvc4tG5ODV7cBy/
1b+aodwSy+bdS2pm7/YtuQ26bpqb8Qy+YVHn5reblXtuhkKcf3UJNqi+tQV2JQYp
2MsRW06fbOADHAPjKygC3I+MtvTJTb9kW2qNK8L3jalrNJQ2guqdFfl1OGyh7dqE
akBGJKMI4nSQQJePwISqp9HUTxdzw8m5V/YiYxRIlbfMjs27E2fKMXGe8Dc7aiwv
31mDg76JsYy0r3BeTEGnRHLOeMNTqxqfaSGOr1E6n93s8sbOMHMqEQogc9E6sBSK
EdSXugXdnCj2OVjnQYptlBOMZ9nVtth7hk0E/zS29DbbPlePcWiyypOKMcP3lh1t
aXTUuO8FsoCrB185k8F5y+Bo0YsgUXtKCj/aQ/cN+guxPhA1EdK+WB5aPn25AipN
UeiWBu2Lm9WdUs68telVgDAxSbXxAq+On5qjv1BTTVzT/yvu78d/CBYSHP3VRqRW
BLgV8W17UKn+0bH3tdpyaxcUN1dmbmi3Htrs/u/gqt+7bjYIxMQceg6E5sV+XIH8
YOGiMDYSlBHzSJ7gNyN+fvhs6Gcb6NIJgP8+XfU+ov4ZbkFNmoQPxn+0uMTBsCcs
DKO4tSXQjJIg5sldGttuBfMc9+YJd1JAp+qFRadRt6j2Xzy/ntu1EZ42XQt+YGaN
HfQrYuwmrO49ZKaci+WKrWOY
=2Xrt
-----END PGP SIGNATURE-----