Problem Description:
Several encoding modules, including HZ, UTF-7, VIQR, and ZW,
did not properly check the size of the caller-supplied output buffer
before writing converted characters. [CVE-2026-58081]
The ISO-2022 encoding module used a stack buffer sized to MB_LEN_MAX
(6 bytes) for intermediate character output. Some ISO-2022 variants
can require up to 10 bytes per character, in which case conversions
can trigger a stack buffer overflow of up to four bytes.
[CVE-2026-58082]
Impact:
An application that uses iconv(3) to convert untrusted input
to or from one of the affected encodings may be vulnerable to buffer
overflows if it uses one of the affected encoding modules.