-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:49.iconv Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in iconv(3) Category: core Module: iconv Announced: 2026-06-30 Credits: Nick Wellnhofer Credits: Mark Johnston Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:21 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:10 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:40 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:20:02 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:12 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:46 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-58081, CVE-2026-58082 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background iconv(3) converts text between character encodings. It is implemented as a set of loadable encoding modules in the C library, and is used by many applications and libraries to process internationalized text. II. Problem Description Several encoding modules, including HZ, UTF-7, VIQR, and ZW, did not properly check the size of the caller-supplied output buffer before writing converted characters. [CVE-2026-58081] The ISO-2022 encoding module used a stack buffer sized to MB_LEN_MAX (6 bytes) for intermediate character output. Some ISO-2022 variants can require up to 10 bytes per character, in which case conversions can trigger a stack buffer overflow of up to four bytes. [CVE-2026-58082] III. Impact An application that uses iconv(3) to convert untrusted input to or from one of the affected encodings may be vulnerable to buffer overflows if it uses one of the affected encoding modules. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all applications that use iconv(3), or reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:49/iconv.patch # fetch https://security.FreeBSD.org/patches/SA-26:49/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 034e21efa19d stable/15-n284336 releng/15.1/ 6b2dad9fe87d releng/15.1-n283581 releng/15.0/ 2ac85d131d91 releng/15.0-n281085 stable/14/ d62d0b6586a8 stable/14-n274461 releng/14.4/ b819674449de releng/14.4-n273745 releng/14.3/ 32f296b69571 releng/14.3-n271545 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEElkbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvlQ0QAIUrLFvc4tG5ODV7cBy/ 1b+aodwSy+bdS2pm7/YtuQ26bpqb8Qy+YVHn5reblXtuhkKcf3UJNqi+tQV2JQYp 2MsRW06fbOADHAPjKygC3I+MtvTJTb9kW2qNK8L3jalrNJQ2guqdFfl1OGyh7dqE akBGJKMI4nSQQJePwISqp9HUTxdzw8m5V/YiYxRIlbfMjs27E2fKMXGe8Dc7aiwv 31mDg76JsYy0r3BeTEGnRHLOeMNTqxqfaSGOr1E6n93s8sbOMHMqEQogc9E6sBSK EdSXugXdnCj2OVjnQYptlBOMZ9nVtth7hk0E/zS29DbbPlePcWiyypOKMcP3lh1t aXTUuO8FsoCrB185k8F5y+Bo0YsgUXtKCj/aQ/cN+guxPhA1EdK+WB5aPn25AipN UeiWBu2Lm9WdUs68telVgDAxSbXxAq+On5qjv1BTTVzT/yvu78d/CBYSHP3VRqRW BLgV8W17UKn+0bH3tdpyaxcUN1dmbmi3Htrs/u/gqt+7bjYIxMQceg6E5sV+XIH8 YOGiMDYSlBHzSJ7gNyN+fvhs6Gcb6NIJgP8+XfU+ov4ZbkFNmoQPxn+0uMTBsCcs DKO4tSXQjJIg5sldGttuBfMc9+YJd1JAp+qFRadRt6j2Xzy/ntu1EZ42XQt+YGaN HfQrYuwmrO49ZKaci+WKrWOY =2Xrt -----END PGP SIGNATURE-----