{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40025", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:36:42.932Z", "datePublished": "2026-04-08T21:35:21.537Z", "dateUpdated": "2026-04-09T16:16:39.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:21.537Z"}, "title": "Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes."}], "tags": ["x_open-source"], "datePublic": "2026-03-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.14.0", "versionType": "custom"}, {"status": "unaffected", "version": "8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "versionType": "git"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"}}], "references": [{"url": "https://github.com/sleuthkit/sleuthkit/pull/3444", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:03:14.878617Z", "id": "CVE-2026-40025", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:16:39.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"tags": ["x_open-source"], "title": "Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "credits": [{"lang": "en", "type": "finder", "value": "Mobasi Security Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.14.0"}, {"status": "unaffected", "version": "8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-01T00:00:00.000Z", "references": [{"url": "https://github.com/sleuthkit/sleuthkit/pull/3444", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read", "name": "VulnCheck Advisory: Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:21.537Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:03:14.878617Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-09T15:03:20.256Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40025", "state": "PUBLISHED", "dateUpdated": "2026-04-08T21:35:21.537Z", "dateReserved": "2026-04-08T13:36:42.932Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-08T21:35:21.537Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sleuthkit:the_sleuth_kit:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A619301-F6A9-4151-9528-0BB27E356214", "versionEndExcluding": "4.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes."}], "id": "CVE-2026-40025", "lastModified": "2026-04-15T20:52:40.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:22.603", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611"}, {"source": "disclosure@vulncheck.com", "tags": ["Issue Tracking"], "url": "https://github.com/sleuthkit/sleuthkit/pull/3444"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "8b9c9e7d493bd68624f3b1a3963edd45c3ff7611"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "sleuthkit", "source": "cna", "vendor": "sleuthkit"}, "product": "the_sleuth_kit", "vendor": "sleuthkit"}], "analysis": {"en": {"generated_at": "2026-04-13T21:38:15.956621+00:00", "value": {"mitigation_remediation": ["Upgrade Sleuth Kit to the latest available release that removes the out\u2011of\u2011bounds read issue; if a newer version is not yet published, apply the patch provided in the referenced commit or update the repository to the fixed code branch.", "Avoid processing untrusted APFS disk images with older versions of Sleuth Kit until a secure version is deployed.", "Monitor the Sleuth Kit project\u2019s repository, issue tracker, and security advisories for an official fix or further guidance."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Sleuth Kit, the open\u2011source digital forensics framework, is affected when processing APFS volumes. All versions of the Sleuth Kit up to and including 4.14.0 that provide APFS keybag parsing functionality are vulnerable; newer releases may have addressed the issue. Users running any Sleuth Kit tools that analyze APFS volumes on untrusted or potentially malicious disk images are at risk.", "description_and_impact": "The vulnerability resides in the APFS keybag parser within Sleuth Kit versions up to 4.14.0. An attacker can supply an APFS disk image that contains crafted length fields; the wrapped_key_parser routine follows these fields without performing bounds checking, resulting in a heap read that exceeds the allocated buffer. The read can expose data beyond the intended scope or cause the processing tool to crash. This type of flaw is categorized as CWE\u2011125 (Out\u2011of\u2011Bounds Read).", "risk_and_exploitability": "The CVSS score of 4.8 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited known exploitation. The attack vector requires an attacker-controlled APFS disk image to be processed by the tool; therefore, exposure generally occurs when individuals or automated workflows ingest malicious or compromised disk images. Prompt patching mitigates the risk, as the flaw cannot be partially mitigated by configuration alone."}}}}, "created": "2026-04-09T08:16:31.681951+00:00", "updated": "2026-04-14T16:37:02.443884+00:00", "vendors": ["sleuthkit", "sleuthkit$PRODUCT$the_sleuth_kit"]}