How to Safely Mitigate the glibc CVE‑2024‑2961 Iconv Overflow in PHP

Recently, a buffer‑overflow bug was discovered in glibc 2.39 and earlier (CVE‑2024‑2961) that occurs when converting to the ISO‑2022‑CN‑EXT charset, potentially allowing remote code execution.

The overflow can be triggered via PHP because the language exposes glibc’s iconv functionality through its iconv extension. Although the vulnerability is exploitable in the context of a PHP application, it is not a PHP bug and cannot be directly triggered remotely.

The flaw is only exploitable when a PHP application calls iconv (or an iconv filter) with a charset supplied by the user.

Applications are safe in the following situations:

Glibc security updates from the distribution have been installed.

The iconv extension is not loaded.

The vulnerable charset has been removed from gconv-modules-extra.conf.

The application only passes explicitly allowed charsets to iconv.

When accepting user‑provided charsets, it is best to restrict them to an explicit allow‑list. For example, you can store permitted encodings in an array and use array_search() to verify the input before calling iconv: array_search($charset, $allowed_list, true) Many online posts use misleading titles such as “Mitigate PHP iconv vulnerability (CVE‑2024‑2961)” or “PHP under attack,” which suggest a PHP‑specific bug; the issue actually resides in glibc.

If your PHP application is potentially vulnerable, first check whether your Linux distribution has released a patched glibc version. Debian, CentOS, and other major distros have already provided updates—upgrade as soon as possible.

Note: Once the glibc update is available, simply updating the package on your Linux machine fully mitigates the problem; you do not need to update PHP because glibc is a shared library.

If your distribution has not yet shipped a glibc fix, there is no official patch, but a workaround is described in “GLIBC Vulnerability on Servers Serving PHP.” The method removes the problematic charset from each gconv-modules-extra.conf file on the system.

PHP users on Windows are not affected, and no new PHP release targeting this vulnerability will be issued.