Patch musl's CVE-2026-6042 and CVE-2026-40200#155171

cuviper · 2026-04-11T22:12:27Z

CVE-2026-6042 is a denial of service in iconv.
CVE-2026-40200 is an out-of-bounds write in qsort.

Neither is relevant to Rust itself, but they could be used in mixed-language projects that link with our self-contained/libc.a.

rustbot · 2026-04-11T22:12:33Z

r? @Mark-Simulacrum

rustbot has assigned @Mark-Simulacrum.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

Owners of files modified in this PR: infra-ci
infra-ci expanded to Kobzol, Mark-Simulacrum, jdno, jieyouxu, marcoieni
Random selection from Mark-Simulacrum, jdno, marcoieni

cuviper · 2026-04-11T22:17:18Z

Nominating for 1.96-beta and 1.95-stable.

@rustbot label +beta-nominated +stable-nominated

cuviper · 2026-04-11T22:21:00Z

@bors try jobs=dist-arm-linux-musl,dist-i586-gnu-i586-i686-musl,dist-various-1,dist-various-2,dist-x86_64-musl,test-various

Patch musl's CVE-2026-6042 and CVE-2025-26519 try-job: dist-arm-linux-musl try-job: dist-i586-gnu-i586-i686-musl try-job: dist-various-1 try-job: dist-various-2 try-job: dist-x86_64-musl try-job: test-various

- [CVE-2026-6042] is a denial of service in `iconv`. - [CVE-2026-40200] is an out-of-bounds write in `qsort`. Neither is relevant to Rust itself, but they could be used in mixed- language projects that link with our `self-contained/libc.a`. [CVE-2026-6042]: https://www.openwall.com/lists/oss-security/2026/04/09/19 [CVE-2026-40200]: https://www.openwall.com/lists/musl/2026/04/10/3

cuviper · 2026-04-11T22:27:40Z

Sorry, I mixed up my CVE numbers and links when writing the commit message, now fixed. The patches were the right ones though, so the try build should still be testing the right thing.

Mark-Simulacrum · 2026-04-11T23:18:03Z

r=me in principle, and I think I'll probably pull this into stable artifact building ~Monday. Not sure we really have a team to approve the backport (compiler? libs?) but it feels like it should be uncontroversial.

rust-bors · 2026-04-12T00:48:17Z

☀️ Try build successful (CI)
Build commit: c072ac5 (c072ac5e4268735cbce40bf48eccf5a70e127378, parent: bf4fbfb7a18d74e7cd8eef93af7329c58fbb5344)

Mark-Simulacrum · 2026-04-12T01:20:47Z

@bors r+ p=1

rust-bors · 2026-04-12T01:20:52Z

📌 Commit 8830551 has been approved by Mark-Simulacrum

It is now in the queue for this repository.

rustbot assigned Mark-Simulacrum Apr 11, 2026

rustbot added beta-nominated Nominated for backporting to the compiler in the beta channel. stable-nominated Nominated for backporting to the compiler in the stable channel. labels Apr 11, 2026

This comment has been minimized.

Sign in to view

cuviper changed the title ~~Patch musl's CVE-2026-6042 and CVE-2025-26519~~ Patch musl's CVE-2026-6042 and CVE-2026-40200 Apr 11, 2026

cuviper force-pushed the musl-cves branch from e7f91d9 to 8830551 Compare April 11, 2026 22:26

rust-bors bot added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Apr 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Patch musl's CVE-2026-6042 and CVE-2026-40200#155171