{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24811", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:39:10.281Z", "datePublished": "2026-01-27T08:47:52.811Z", "dateUpdated": "2026-02-19T16:10:51.424Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/root-project/root", "defaultStatus": "affected", "modules": ["builtins/zlib"], "product": "root", "programFiles": ["inffast.c"], "vendor": "root-project", "versions": [{"lessThanOrEqual": "6.36.00-rc1", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability in root-project root (builtins/zlib modules).<p> This vulnerability is associated with program files <tt>inffast.C</tt>.</p><p>This issue affects root.</p>"}], "value": "Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C.\n\nThis issue affects root."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:47:52.811Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/root-project/root/pull/18526"}], "source": {"discovery": "UNKNOWN"}, "title": "An improper pointer arithmetic in root-project/root at builtins/zlib/inffast.c", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T14:49:10.447097Z", "id": "CVE-2026-24811", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:52:04.014Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-19T16:10:51.424Z"}, "references": [{"url": "https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-19T16:10:51.424Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24811", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T14:49:10.447097Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T14:51:28.197Z"}}], "cna": {"title": "An improper pointer arithmetic in root-project/root at builtins/zlib/inffast.c", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 9.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "root-project", "modules": ["builtins/zlib"], "product": "root", "versions": [{"status": "affected", "version": "0", "versionType": "git", "lessThanOrEqual": "6.36.00-rc1"}], "programFiles": ["inffast.c"], "collectionURL": "https://github.com/root-project/root", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/root-project/root/pull/18526", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C.\n\nThis issue affects root.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in root-project root (builtins/zlib modules).<p> This vulnerability is associated with program files <tt>inffast.C</tt>.</p><p>This issue affects root.</p>", "base64": false}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:47:52.811Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24811", "state": "PUBLISHED", "dateUpdated": "2026-02-19T16:10:51.424Z", "dateReserved": "2026-01-27T08:39:10.281Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:47:52.811Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:root:root:*:*:*:*:*:*:*:*", "matchCriteriaId": "52EE8BDB-DA0A-4337-B6D9-D997B89D998E", "versionEndIncluding": "6.34.08", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C.\n\nThis issue affects root."}], "id": "CVE-2026-24811", "lastModified": "2026-02-19T17:24:49.470", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:51.440", "references": [{"source": "cve_disclosure@tech.gov.sg", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/root-project/root/pull/18526"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:22:46.740340+00:00", "value": {"mitigation_remediation": ["Update the ROOT software to a version that includes the fix from pull request 18526.", "Rebuild any configured ROOT-based applications with the updated source to ensure the inffast.c changes are active.", "Until a patch is applied, limit ROOT\u2019s processing of external compressed data or disable untrusted zlib streams to mitigate potential exploitation."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution via memory corruption"}, "threat_synthesis": {"affected_systems": "Vulnerable systems include installations of the root-project ROOT software. The affected vendor is root-project and product ROOT. Exact product versions are not specified in the advisory, so users should consult the vendor or the referenced pull request to verify which releases incorporate the fix. In the absence of version data, any deployment that has not applied the patch from PR 18526 should be considered vulnerable.", "description_and_impact": "The flaw lies in an improper pointer arithmetic in the 'inffast.c' module of the ROOT application, a component that processes ZIP/deflate streams. This incorrect arithmetic can corrupt memory, potentially allowing an attacker to execute arbitrary code on the target system. The vulnerability is classified as a memory corruption weakness and may let malicious data trigger arbitrary code execution when the ROOT application decompresses input files. The damage could include full system compromise, data loss, and persistence if the attacker gains sufficient privileges. Based on the description, it is inferred that the attack vector may involve crafted compressed inputs delivered to ROOT, but no specific evidence of remote exploitation is provided. The risk to confidentiality, integrity, and availability is therefore severe.", "risk_and_exploitability": "The CVSS v3.1 score of 9.3 indicates critical severity, with high impact and multiple attack vectors. The EPSS score is reported as less than 1%, implying that successful exploitation is currently considered unlikely but not impossible. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. An attacker would need to supply specially crafted compressed data that triggers the faulty pointer arithmetic; once triggered, memory corruption could lead to code execution. Because ROOT often processes user-supplied data, the practical risk to exposed services is significant even though the current observed exploit probability remains low."}}}}, "created": "2026-01-27T20:17:22.479142+00:00", "updated": "2026-04-18T02:30:15.863410+00:00", "vendors": ["riot_project", "riot_project$PRODUCT$riot"]}