{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24857", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.061Z", "datePublished": "2026-01-28T21:30:35.410Z", "dateUpdated": "2026-01-29T18:01:12.601Z"}, "containers": {"cna": {"title": "bulk_extractor has Heap-based Buffer Overflow vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q"}], "affected": [{"vendor": "simsong", "product": "bulk_extractor", "versions": [{"version": ">= 1.4, <= 2.1.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T21:30:35.410Z"}, "descriptions": [{"lang": "en", "value": "`bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`\u2019s embedded unrar code has a heap\u2011buffer\u2011overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out\u2011of\u2011bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available."}], "source": {"advisory": "GHSA-rh8m-9xrx-q64q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T16:03:03.118001Z", "id": "CVE-2026-24857", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T18:01:12.601Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24857", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T16:03:03.118001Z"}}}], "references": [{"url": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T16:03:06.194Z"}}], "cna": {"title": "bulk_extractor has Heap-based Buffer Overflow vulnerability", "source": {"advisory": "GHSA-rh8m-9xrx-q64q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "simsong", "product": "bulk_extractor", "versions": [{"status": "affected", "version": ">= 1.4, <= 2.1.1"}]}], "references": [{"url": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q", "name": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "`bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`\u2019s embedded unrar code has a heap\u2011buffer\u2011overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out\u2011of\u2011bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T21:30:35.410Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24857", "state": "PUBLISHED", "dateUpdated": "2026-01-29T18:01:12.601Z", "dateReserved": "2026-01-27T14:51:03.061Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T21:30:35.410Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:simsong:bulk_extractor:*:*:*:*:*:*:*:*", "matchCriteriaId": "37E01344-F9C6-472A-B1D4-E30BFA2A549B", "versionStartIncluding": "1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "`bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`\u2019s embedded unrar code has a heap\u2011buffer\u2011overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out\u2011of\u2011bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available."}], "id": "CVE-2026-24857", "lastModified": "2026-02-09T16:47:23.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-28T22:15:56.350", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:36:07.010354+00:00", "value": {"mitigation_remediation": ["Do not run bulk_extractor on disk images containing RAR archives from untrusted sources.", "Validate or extract RAR archives with a reliable external tool before feeding the file into bulk_extractor, ensuring that only properly formatted data is processed.", "Run bulk_extractor inside a sandboxed or containerized environment to contain potential exploitation, limiting the impact on the host system.", "Monitor the system for unexpected crashes or signs of memory corruption that could indicate exploitation.", "Regularly check the vendor\u2019s repository and security advisories for an upcoming patch or update, and upgrade as soon as a fix becomes available."], "summary": {"action": "Monitor", "impact": "Remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the bulk_extractor forensic tool produced by Simson Garfinkel. Versions 1.4 and newer are impacted because the fault appears in the embedded unrar code shipped with 1.4 and later releases.", "description_and_impact": "bulk_extractor includes embedded unrar code that contains a heap-based buffer overflow in the RAR PPM LZ decoding path starting with version 1.4. When a specially crafted RAR archive is embedded inside a disk image, the Unpack::CopyString function performs an out-of-bounds write, which can crash the program or corrupt memory. The resulting corruption gives an attacker the potential to achieve remote code execution. The flaw is a classic heap overflow (CWE122) and an out-of-bounds write (CWE787).", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1 % implies low exploitation likelihood at present. The flaw is not listed in the CISA KEV catalog. Attack vectors are likely local: an attacker must supply a malicious disk image that contains a specially crafted RAR archive. If an attacker can perform the extraction on a system where bulk_extractor runs, the memory corruption could lead to arbitrary code execution, compromising the host. The absence of an available patch means the risk remains until a fix is released."}}}}, "created": "2026-01-29T09:08:24.975956+00:00", "updated": "2026-04-18T01:45:33.393577+00:00", "vendors": ["simsong", "simsong$PRODUCT$bulk_extractor"]}