{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24812", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:39:10.281Z", "datePublished": "2026-01-27T08:48:31.091Z", "dateUpdated": "2026-03-03T15:56:14.627Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/root-project/root", "defaultStatus": "affected", "modules": ["builtins/zlib"], "product": "root", "programFiles": ["inftrees.c"], "vendor": "root-project", "versions": [{"lessThanOrEqual": "6.36.00-rc1", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Vulnerability in root-project root (builtins/zlib modules).<p> This vulnerability is associated with program files <tt>inftrees.C</tt>.</p><p>This issue affects root: through 6.36.00-rc1.</p>"}], "value": "Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C.\n\nThis issue affects root: through 6.36.00-rc1."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 9.3, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:48:31.091Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/root-project/root/pull/18527"}], "source": {"discovery": "UNKNOWN"}, "title": "An improper pointer arithmetic in root-project/root at builtins/zlib/inftrees.c", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "CWE-125 Out-of-bounds Read"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T20:43:00.232200Z", "id": "CVE-2026-24812", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T15:56:14.627Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-19T16:11:14.745Z"}, "references": [{"url": "https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-02-19T16:11:14.745Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24812", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T20:43:00.232200Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T20:43:12.262Z"}}], "cna": {"title": "An improper pointer arithmetic in root-project/root at builtins/zlib/inftrees.c", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 9.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "root-project", "modules": ["builtins/zlib"], "product": "root", "versions": [{"status": "affected", "version": "0", "versionType": "git", "lessThanOrEqual": "6.36.00-rc1"}], "programFiles": ["inftrees.c"], "collectionURL": "https://github.com/root-project/root", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/root-project/root/pull/18527", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C.\n\nThis issue affects root: through 6.36.00-rc1.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in root-project root (builtins/zlib modules).<p> This vulnerability is associated with program files <tt>inftrees.C</tt>.</p><p>This issue affects root: through 6.36.00-rc1.</p>", "base64": false}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:48:31.091Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24812", "state": "PUBLISHED", "dateUpdated": "2026-03-03T15:56:14.627Z", "dateReserved": "2026-01-27T08:39:10.281Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:48:31.091Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C.\n\nThis issue affects root: through 6.36.00-rc1."}, {"lang": "es", "value": "Vulnerabilidad en proyecto ra\u00edz root (m\u00f3dulos builtins/zlib). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa inftrees.C.\n\nEste problema afecta a root: hasta 6.36.00-rc1."}], "id": "CVE-2026-24812", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:51.567", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/root-project/root/pull/18527"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:22:22.925027+00:00", "value": {"mitigation_remediation": ["Install the latest version of the root project where the pointer arithmetic error has been corrected (see the project release notes for changes beyond 6.36.00\u2011rc1).", "If an immediate upgrade is not possible, restrict decompression of zlib data to sources that are already trusted, and enforce strict validation of the input before processing.", "Monitor system logs and common exploitation patterns for signs of memory corruption or sudden crashes that could indicate an attempt to exploit the flaw."], "summary": {"action": "Immediate Patch", "impact": "Out-of-bounds Read"}, "threat_synthesis": {"affected_systems": "The issue affects the root\u2011project root software, impacting all releases through version 6.36.00\u2011rc1. Users running any of these released versions should verify their installed version and plan to upgrade to a patched release.", "description_and_impact": "The vulnerability arises from improper pointer arithmetic in the zlib decompression routines within the root\u2011project, specifically in builtins/zlib/inftrees.c. This causes an out-of-bounds read (CWE\u2011125) that can corrupt memory and may expose sensitive data or lead to memory corruption. The exact consequences depend on the environment and input handling; execution of arbitrary code is a possibility but is not confirmed by the information provided.", "risk_and_exploitability": "The CVSS score of 9.3 denotes critical severity, implying that exploitation could compromise confidentiality, integrity or availability. The EPSS score is reported as less than 1%, suggesting that exploitation at present is rare, but the vulnerability is not listed in the CISA KEV catalog, meaning there is no known active exploitation. Based on the nature of the flaw, the attack vector is likely remote, triggered by malicious compressed input sent over a network or from compromised files; this inference is drawn from the involvement of zlib decompression routines."}}}}, "created": "2026-01-27T20:17:11.004100+00:00", "updated": "2026-04-18T02:30:15.862780+00:00", "vendors": ["riot_project", "riot_project$PRODUCT$riot"]}