{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24797", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:18:43.268Z", "datePublished": "2026-01-27T08:25:17.496Z", "dateUpdated": "2026-01-27T21:38:37.425Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/neka-nat/cupoch", "defaultStatus": "affected", "modules": ["third_party/libjpeg-turbo/libjpeg-turbo"], "product": "cupoch", "programFiles": ["tjbench.c"], "vendor": "neka-nat", "versions": [{"lessThan": "v0.2.11.0", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules).<p> This vulnerability is associated with program files <tt>tjbench.C</tt>.</p><p>This issue affects cupoch.</p>"}], "value": "Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C.\n\nThis issue affects cupoch."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/AU:Y/R:A/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:25:17.496Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/neka-nat/cupoch/pull/138"}], "source": {"discovery": "UNKNOWN"}, "title": "An out of bounds write due to a missing bounds check in neka-nat/cupoch", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T21:09:38.092555Z", "id": "CVE-2026-24797", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:38:37.425Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24797", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T21:09:38.092555Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T21:09:40.532Z"}}], "cna": {"title": "An out of bounds write due to a missing bounds check in neka-nat/cupoch", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 6.9, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/AU:Y/R:A/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "neka-nat", "modules": ["third_party/libjpeg-turbo/libjpeg-turbo"], "product": "cupoch", "versions": [{"status": "affected", "version": "0", "lessThan": "v0.2.11.0", "versionType": "git"}], "programFiles": ["tjbench.c"], "collectionURL": "https://github.com/neka-nat/cupoch", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/neka-nat/cupoch/pull/138", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C.\n\nThis issue affects cupoch.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules).<p> This vulnerability is associated with program files <tt>tjbench.C</tt>.</p><p>This issue affects cupoch.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:25:17.496Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24797", "state": "PUBLISHED", "dateUpdated": "2026-01-27T21:38:37.425Z", "dateReserved": "2026-01-27T08:18:43.268Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:25:17.496Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C.\n\nThis issue affects cupoch."}, {"lang": "es", "value": "Vulnerabilidad de escritura fuera de l\u00edmites en neka-nat cupoch (m\u00f3dulos de terceros/libjpeg-turbo/libjpeg-turbo). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa tjbench.C.\n\nEste problema afecta a cupoch."}], "id": "CVE-2026-24797", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:49.510", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/neka-nat/cupoch/pull/138"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:27:34.247394+00:00", "value": {"mitigation_remediation": ["Apply the latest cupoch release from GitHub, which includes the bounds\u2011check fix in libjpeg\u2011turbo.", "If immediate upgrade is not feasible, restrict tjbench.C file processing to trusted users and implement additional input validation or bounds checks before performing writes in the vulnerable code.", "Review the source code of the libjpeg\u2011turbo module to confirm removal of the missing bounds check; if necessary, apply a temporary patch that adds explicit bounds verification before memory writes."], "summary": {"action": "Patch", "impact": "Potential arbitrary code execution via memory corruption"}, "threat_synthesis": {"affected_systems": "The issue affects the cupoch project maintained by neka\u2011nat. It specifically targets the libjpeg\u2011turbo components used by cupoch when handling tjbench.C inputs. No version range is supplied, so all releases using the affected code path may be vulnerable until a patch is applied.", "description_and_impact": "This vulnerability arises from missing bounds checking in cupoch's libjpeg\u2011turbo module, allowing an out\u2011of\u2011bounds write when processing tjbench.C files. The write can corrupt memory, potentially granting an attacker the ability to execute arbitrary code, cause denial of service, or disclose confidential data, consistent with CWE\u2011787.", "risk_and_exploitability": "The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% and absence from CISA's KEV list suggest exploitation is currently unlikely, but the vulnerability remains exploitable if an attacker can influence input to the vulnerable module. The attack vector is not explicitly documented; based on the description of tjbench.C processing, it is inferred that an attacker could trigger the write by supplying crafted tjbench.C data or by manipulating file handling routines."}}}}, "created": "2026-01-27T20:17:15.395773+00:00", "updated": "2026-04-18T02:30:15.871020+00:00", "vendors": ["neka-nat", "neka-nat$PRODUCT$cupoch"]}