CVE-2021-43396

high

Published — · Modified —

CVSS v3

—

CVSS v2

—

VIR risk

8.0

Description

In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. NOTE: the vendor states "the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally. Hence there's no security impact to the bug.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-43396

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-43396.html

OS impact

OS	Version	Status	Fixed in
arch		fixed	`2.34-1`
sles		affected
debian	bookworm	fixed	`2.32-5`
debian	bullseye	fixed	`2.31-13+deb11u3`
debian	forky	fixed	`2.32-5`
debian	sid	fixed	`2.32-5`
debian	trixie	fixed	`2.32-5`

References

Verify integrity in audit chain (admin only). AS-IS.