The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode through 57.1 for C/C++ does not ensure that there is a "\0" character at the end of a certain temporary array, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a call with a long argument. And possibly needs some more follow-up fixes, cf. with upstream changes around/later than changeset 39109.