PatchSiren cyber security CVE debrief

CVE-2016-10228 Gnu CVE debrief

CVE-2016-10228 is a glibc iconv availability issue: under the right option combination, invalid multibyte input can send the conversion logic into an infinite loop and hang the process. The supplied record describes impact in terms of denial of service, and NVD classifies it as medium severity with availability-only impact. This matters most for software that invokes iconv on untrusted or attacker-influenced text or file content.

Vendor: Gnu
Product: CVE-2016-10228
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-02
Original CVE updated: 2026-05-13
Advisory published: 2017-03-02
Advisory updated: 2026-05-13

Who should care

Administrators, distro maintainers, and application developers who rely on GNU glibc iconv for text conversion, especially where malformed or user-supplied multibyte data may be processed.

Technical summary

The vulnerability affects the GNU C Library iconv program/library behavior when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) together with the -c option. When invalid multibyte input sequences are processed, the conversion path can enter an infinite loop instead of terminating cleanly, resulting in a denial of service. NVD associates the issue with CWE-20 and rates it CVSS v3.0 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). The supplied record’s description says glibc 2.31 and earlier, while the NVD CPE criteria currently lists affected versions through 2.25; that scope discrepancy should be checked against distro-specific advisories.

Defensive priority

Medium. Prioritize systems that process untrusted text or files through iconv, because the issue can hang affected processes and services even though it does not expose confidentiality or integrity impact.

Recommended defensive actions

Apply the vendor or distribution security update that includes the glibc/iconv fix.
Review any application paths that call iconv on attacker-controlled or malformed input and add input validation or safe-fail handling where possible.
If you operate multiple Linux distributions, verify affected package versions against the relevant distro advisory rather than relying only on the generic CVE summary.
Monitor for unusually long-running or stuck text-conversion processes that could indicate a hang condition.
Use the official CVE and NVD entries plus downstream advisories to confirm your exact exposure window and fixed package versions.

Evidence notes

CVE published 2017-03-02 and later modified 2026-05-13 in the supplied record. NVD marks the vulnerability status as Modified and provides CVSS v3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H with CWE-20. References in the record include the oss-security mailing list post dated 2017-03-01, Sourceware bug 19519, and downstream advisories from Gentoo, Debian LTS, Oracle, Apache Mina, and SecurityFocus. The supplied description states glibc 2.31 and earlier, while NVD CPE criteria lists cpe:2.3:a:gnu:glibc:* with versionEndIncluding 2.25; that mismatch is noted as an evidence-quality concern.

Official resources

CVE-2016-10228 CVE record
CVE.org
CVE-2016-10228 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected] - Issue Tracking
Source reference
[email protected]

Public CVE disclosure date in the supplied record is 2017-03-02. The reference set also includes an oss-security mailing list post dated 2017-03-01, indicating public discussion immediately before CVE publication.