{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4732", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T02:50:04.359Z", "datePublished": "2026-03-24T02:50:36.111Z", "dateUpdated": "2026-03-24T18:28:11.937Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T02:50:36.111Z"}, "title": "Out-of-bounds Read Overflow in tildearrow/furnace", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "tildearrow", "product": "furnace", "collectionURL": "https://github.com/tildearrow/furnace", "modules": ["\u200eextern/libsndfile-modified/src"], "programFiles": ["flac.c\u200e"], "versions": [{"status": "affected", "version": "0", "lessThan": "0.7", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in tildearrow furnace (\u200eextern/libsndfile-modified/src modules). This vulnerability is associated with program files flac.C\u200e.\n\nThis issue affects furnace: before 0.7.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Out-of-bounds Read vulnerability in tildearrow furnace (\u200eextern/libsndfile-modified/src modules).<p> This vulnerability is associated with program files flac.C\u200e.</p><p>This issue affects furnace: before 0.7.</p>"}]}], "references": [{"url": "https://github.com/tildearrow/furnace/pull/2812", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "PROOF_OF_CONCEPT", "Safety": "NEGLIGIBLE", "Automatable": "NO", "Recovery": "USER", "valueDensity": "DIFFUSE", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:N/R:U/V:D/RE:L/U:Amber"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:28:05.626315Z", "id": "CVE-2026-4732", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:28:11.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4732", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T18:28:05.626315Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:28:08.792Z"}}], "cna": {"title": "Out-of-bounds Read Overflow in tildearrow/furnace", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 8.4, "Automatable": "NO", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:N/AU:N/R:U/V:D/RE:L/U:Amber", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "AMBER", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "tildearrow", "modules": ["\u200eextern/libsndfile-modified/src"], "product": "furnace", "versions": [{"status": "affected", "version": "0", "lessThan": "0.7", "versionType": "git"}], "programFiles": ["flac.c\u200e"], "collectionURL": "https://github.com/tildearrow/furnace", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/tildearrow/furnace/pull/2812", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in tildearrow furnace (\u200eextern/libsndfile-modified/src modules). This vulnerability is associated with program files flac.C\u200e.\n\nThis issue affects furnace: before 0.7.", "supportingMedia": [{"type": "text/html", "value": "Out-of-bounds Read vulnerability in tildearrow furnace (\u200eextern/libsndfile-modified/src modules).<p> This vulnerability is associated with program files flac.C\u200e.</p><p>This issue affects furnace: before 0.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T02:50:36.111Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4732", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:28:11.937Z", "dateReserved": "2026-03-24T02:50:04.359Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T02:50:36.111Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds Read vulnerability in tildearrow furnace (\u200eextern/libsndfile-modified/src modules). This vulnerability is associated with program files flac.C\u200e.\n\nThis issue affects furnace: before 0.7."}, {"lang": "es", "value": "Vulnerabilidad de lectura fuera de l\u00edmites en tildearrow furnace (m\u00f3dulos extern/libsndfile-modified/src). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa flac.C.\n\nEste problema afecta a furnace: anterior a 0.7."}], "id": "CVE-2026-4732", "lastModified": "2026-04-30T16:01:57.470", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NO", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T04:17:25.573", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/tildearrow/furnace/pull/2812"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "furnace", "source": "cna", "vendor": "tildearrow"}, "product": "furnace", "vendor": "tildearrow"}], "analysis": {"en": {"generated_at": "2026-03-24T05:51:13.495467+00:00", "value": {"mitigation_remediation": ["Apply the latest Furnace release (0.7 or newer).", "Limit processing to trusted FLAC files or use input validation to prevent malicious file handling."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Furnace project maintained by tildearrow. All releases prior to version 0.7 are impacted. Users running these older versions and handling FLAC audio are at risk because the flaw is tied to the flac.C module.", "description_and_impact": "An out-of-bounds read can occur in Furnace's modified libsndfile source code that processes FLAC files. The flaw allows the program to access memory beyond a buffer boundary, potentially revealing sensitive data or causing a crash. This weakness is a classic buffer over-read (CWE-125).", "risk_and_exploitability": "The CVSS score of 8.4 indicates a high severity level, and the EPSS data is unavailable. The issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that an attacker who can supply a crafted FLAC file to a system running an affected installation could trigger the out-of-bounds read and obtain sensitive information or cause a denial of service. The problem is fully mitigated by upgrading to version 0.7 or later."}}}}, "created": "2026-03-24T10:29:19.993962+00:00", "updated": "2026-03-25T20:40:25.223528+00:00", "vendors": ["tildearrow", "tildearrow$PRODUCT$furnace"]}