{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-40200", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T14:32:24.901Z", "dateReserved": "2026-04-10T00:00:00.000Z", "datePublished": "2026-04-10T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "musl", "vendor": "musl-libc", "versions": [{"lessThanOrEqual": "1.2.6", "status": "affected", "version": "0.7.10", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical)."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T16:05:29.860Z"}, "references": [{"url": "https://musl.libc.org/releases.html"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/10/13"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:musl-libc:musl:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.7.10", "versionEndIncluding": "1.2.6"}]}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/10/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T17:17:25.925Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:31:53.778314Z", "id": "CVE-2026-40200", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:32:24.901Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/10/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-10T17:17:25.925Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40200", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:31:53.778314Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:32:20.654Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "musl-libc", "product": "musl", "versions": [{"status": "affected", "version": "0.7.10", "versionType": "semver", "lessThanOrEqual": "1.2.6"}], "defaultStatus": "unknown"}], "references": [{"url": "https://musl.libc.org/releases.html"}, {"url": "https://www.openwall.com/lists/oss-security/2026/04/10/13"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:musl-libc:musl:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "1.2.6", "versionStartIncluding": "0.7.10"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-10T16:05:29.860Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40200", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:32:24.901Z", "dateReserved": "2026-04-10T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-10T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in musl libc 0.7.10 through 1.2.6. Stack-based memory corruption can occur during qsort of very large arrays, due to incorrectly implemented double-word primitives. The number of elements must exceed about seven million, i.e., the 32nd Leonardo number on 32-bit platforms (or the 64th Leonardo number on 64-bit platforms, which is not practical)."}], "id": "CVE-2026-40200", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.4, "impactScore": 6.0, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-10T17:17:14.107", "references": [{"source": "cve@mitre.org", "url": "https://musl.libc.org/releases.html"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/04/10/13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/10/13"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "cve@mitre.org", "type": "Secondary"}]}

{"bugzilla": {"description": "musl: musl libc: Arbitrary code execution and denial of service via stack-based memory corruption in qsort", "id": "2457369", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457369"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in musl libc. This stack-based memory corruption vulnerability occurs when the `qsort` function processes extremely large arrays due to incorrectly implemented double-word primitives. A local attacker could exploit this by providing a specially crafted, very large array, potentially leading to arbitrary code execution or a denial of service."], "name": "CVE-2026-40200", "public_date": "2026-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40200\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40200\nhttps://musl.libc.org/releases.html\nhttps://www.openwall.com/lists/oss-security/2026/04/10/13"], "statement": "AN IMPORTANT stack-based memory corruption flaw in musl libc's `qsort` function could lead to arbitrary code execution or denial of service. This vulnerability requires a local attacker to provide an extremely large, specially crafted array, exceeding millions of elements, making practical exploitation highly improbable in typical Red Hat environments.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.7.10,1.2.6]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "musl", "source": "cna", "vendor": "musl-libc"}, "product": "musl", "vendor": "musl-libc"}], "analysis": {"en": {"generated_at": "2026-04-14T13:51:51.448874+00:00", "value": {"mitigation_remediation": ["Upgrade musl libc to a version newer than 1.2.6, ideally the latest release from musl.libc.org.", "If an upgrade cannot be performed immediately, modify applications that use qsort to avoid sorting arrays larger than about seven million elements or replace qsort with a safer sorting routine that bounds the input size.", "Verify that no accessible services, scripts, or APIs process exceptionally large inputs that could trigger the bug; if they do, enforce input size limits at the application level.", "Monitor vendor advisories and security mailing lists for the latest patches and apply them promptly."], "summary": {"action": "Apply Patch", "impact": "Stack\u2011based memory corruption leading to arbitrary code execution and denial of service"}, "threat_synthesis": {"affected_systems": "musl libc versions 0.7.10 through 1.2.6 are affected. Systems that ship with these versions, including many Linux distributions and embedded devices that rely on musl as the standard C library, are at risk. No other vendors or products are listed. Users should verify the musl version in use and compare it to the affected range.", "description_and_impact": "An implementation flaw in the qsort routine of musl libc causes a stack\u2011based memory corruption when sorting arrays that contain a very large number of elements (exceeding roughly seven million on 32\u2011bit systems). The bug stems from incorrectly implemented double\u2011word primitives, which can overwrite control data on the stack. When triggered, this overflow can allow an attacker to execute arbitrary code or crash the process. The vulnerability is related to integer overflows (CWE\u2011190) and uncontrolled modification of execution flow (CWE\u2011670).", "risk_and_exploitability": "The CVSS base score of 8.1 indicates a high severity issue, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The vulnerability is not listed in the CISA Known Exploit Vulnerabilities catalog, further indicating low exploitation activity. Exploitation requires an attacker to construct a data set large enough to trigger the overflow (a 64\u2011bit environment would need an array size equal to the 64th Leonardo number, which is not practical). Therefore, the realistic attack probability for typical systems is low unless a publicly exposed service or script processes extremely large input arrays."}}}}, "created": "2026-04-13T12:51:40.497695+00:00", "updated": "2026-04-14T16:36:38.680210+00:00", "vendors": ["musl-libc", "musl-libc$PRODUCT$musl"]}