{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24826", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:59:05.366Z", "datePublished": "2026-01-27T09:11:27.233Z", "dateUpdated": "2026-01-29T20:03:11.637Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "turso3d", "vendor": "cadaver", "versions": [{"status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "finder", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.<p>This issue affects .</p>"}], "value": "Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects ."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 10, "baseSeverity": "CRITICAL", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-369", "description": "CWE-369 Divide By Zero", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-908", "description": "CWE-908 Use of Uninitialized Resource", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-617", "description": "CWE-617 Reachable Assertion", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T09:11:27.233Z"}, "references": [{"url": "https://github.com/cadaver/turso3d/pull/11"}], "source": {"discovery": "UNKNOWN"}, "title": "Out-of-bounds write in turso3d", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T20:03:03.169650Z", "id": "CVE-2026-24826", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T20:03:11.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24826", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-29T20:03:03.169650Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T20:03:07.081Z"}}], "cna": {"title": "Out-of-bounds write in turso3d", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 10, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "cadaver", "product": "turso3d", "versions": [{"status": "affected", "version": "0", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/cadaver/turso3d/pull/11"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.<p>This issue affects .</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-369", "description": "CWE-369 Divide By Zero"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-908", "description": "CWE-908 Use of Uninitialized Resource"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-617", "description": "CWE-617 Reachable Assertion"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T09:11:27.233Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24826", "state": "PUBLISHED", "dateUpdated": "2026-01-29T20:03:11.637Z", "dateReserved": "2026-01-27T08:59:05.366Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T09:11:27.233Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects ."}, {"lang": "es", "value": "Vulnerabilidad de Escritura fuera de l\u00edmites, Divisi\u00f3n por cero, Desreferencia de puntero NULL, Uso de recurso no inicializado, Lectura fuera de l\u00edmites y Aserci\u00f3n alcanzable en cadaver turso3d. Este problema afecta a ."}], "id": "CVE-2026-24826", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T10:15:49.507", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/cadaver/turso3d/pull/11"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-369"}, {"lang": "en", "value": "CWE-476"}, {"lang": "en", "value": "CWE-617"}, {"lang": "en", "value": "CWE-787"}, {"lang": "en", "value": "CWE-908"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T14:51:40.899299+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch for turso3d or upgrade to a version where the vulnerability is fixed. If no patch is available, isolate the affected application from the network and disable any functions that invoke the vulnerable code path. Review the pull request at the provided GitHub link to manually apply the code changes if the vendor has not released a formal update.", "Implement runtime integrity checks or address sanitizer tools to detect out-of-bounds accesses during development and testing. Monitor logs for anomalous memory access patterns that could indicate exploitation attempts.", "Configure SELinux or AppArmor confinement for the turso3d process to limit the blast radius in case of exploitation."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is cadaver\u2019s turso3d. No specific version numbers are given in the CVE information, so the patch status of installed instances cannot be determined from this data alone.", "description_and_impact": "The vulnerability in cadaver\u2019s turso3d allows an attacker to write beyond the bounds of an array and perform arithmetic with a zero divisor, leading to a null pointer dereference and the reuse of uninitialized resources. These weaknesses combine to enable arbitrary code execution. The high CVSS score of 10 confirms that an exploitation would compromise confidentiality, integrity, and availability of the affected system. \u201cOut\u2011of\u2011bounds write\u201d is a classic memory corruption flaw that typically permits control over program flow.", "risk_and_exploitability": "With a CVSS of 10 the vulnerability is considered extremely severe. The EPSS score of less than 1% suggests that, although exploitation is possible, it is currently statistically unlikely. The vulnerability is not listed in the CISA KEV catalog. Because the description does not specify an attack vector, it is inferred that the exploitation might require local access or could be achieved remotely if the vulnerable code is exposed through a service. Without explicit vector information, administrators should assume the worst\u2011case scenario and treat the flaw as a potential remote code execution risk."}}}}, "created": "2026-01-27T20:16:48.209744+00:00", "updated": "2026-04-18T15:00:03.443873+00:00", "vendors": ["cadaver", "cadaver$PRODUCT$turso3d"]}