CVE-2021-43396

Name of the Vulnerable Software and Affected Versions GNU C Library (aka glibc) version 2.34

Description Remote attackers can force iconv() to emit a spurious '0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases. The vendor states that the bug cannot be invoked through user input and requires iconv to be invoked with a NULL inbuf, which ought to require a separate application bug to do so unintentionally.

Recommendations For GNU C Library (aka glibc) version 2.34, consider invoking iconv() with a non-NULL inbuf to prevent the emission of spurious '0' characters. As a temporary workaround, consider restricting the use of crafted ISO-2022-JP-3 data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.