{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40026", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:36:44.872Z", "datePublished": "2026-04-08T21:35:22.278Z", "dateUpdated": "2026-04-08T21:35:22.278Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:22.278Z"}, "title": "Sleuth Kit ISO9660 SUSP Extension Reference Out-of-Bounds Read", "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop."}], "tags": ["x_open-source"], "datePublic": "2026-03-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.14.0", "versionType": "custom"}, {"status": "unaffected", "version": "a95b0ac21733b059a517aaefa667a17e1bcbdee1", "versionType": "git"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"}}], "references": [{"url": "https://github.com/sleuthkit/sleuthkit/pull/3445", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/sleuthkit/sleuthkit/commit/a95b0ac21733b059a517aaefa667a17e1bcbdee1", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Sleuth Kit ISO9660 SUSP Extension Reference Out-of-Bounds Read", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/sleuth-kit-iso9660-susp-extension-reference-out-of-bounds-read"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop."}], "id": "CVE-2026-40026", "lastModified": "2026-04-08T22:16:22.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:22.780", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/sleuthkit/sleuthkit/commit/a95b0ac21733b059a517aaefa667a17e1bcbdee1"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/sleuthkit/sleuthkit/pull/3445"}, {"source": "disclosure@vulncheck.com", "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/sleuth-kit-iso9660-susp-extension-reference-out-of-bounds-read"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "a95b0ac21733b059a517aaefa667a17e1bcbdee1"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "sleuthkit", "source": "cna", "vendor": "sleuthkit"}, "product": "the_sleuth_kit", "vendor": "sleuthkit"}], "analysis": {"en": {"generated_at": "2026-04-08T22:24:24.394988+00:00", "value": {"mitigation_remediation": ["Upgrade Sleuth Kit to a release newer than 4.14.0 or apply the patch from commit a95b0ac.", "If an immediate upgrade is not possible, restrict the use of Sleuth Kit to trusted ISO images only and quarantine untrusted images.", "Validate ISO images with a trusted source before processing them with Sleuth Kit."], "summary": {"action": "Update Package", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is Sleuth Kit from the sleuthkit organization. Versions up to and including 4.14.0 are impacted. Users should refer to the commit a95b0ac and the pull request 3445 that contain the fix.", "description_and_impact": "The vulnerability resides in the ISO9660 filesystem parser of Sleuth Kit versions up to 4.14.0. The parse_susp() routine accepts len_id, len_des, and len_src values from the disk image and copies that many bytes into a stack buffer without validating that the source data is within the parsed SUSP block. An attacker can supply a malicious ISO image that makes the routine read past the end of the buffer and can also inject a zero\u2011length SUSP entry that results in an infinite parsing loop. The result is an out\u2011of\u2011bounds read, possible disclosure of nearby memory, and a crash or denial of service. This falls under the CWE\u2011125 category of out\u2011of\u2011bounds read.", "risk_and_exploitability": "The CVSS score is 4.8, indicating a moderate risk. The EPSS score is not provided, so the likelihood of exploitation remains unclear, but the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. Since the flaw can be triggered by a crafted ISO image, it requires local access or the ability to supply an ISO to the target system. An attacker could cause the system running Sleuth Kit to hang or crash, but there is no evidence of remote code execution or data exfiltration. The attack vector is inferred to be local file processing."}}}}, "created": "2026-04-09T08:16:30.541909+00:00", "updated": "2026-04-09T08:25:56.520365+00:00", "vendors": ["sleuthkit", "sleuthkit$PRODUCT$the_sleuth_kit"]}