CVE-2026-24800
Unknown Unknown - Not Provided
Buffer Overflow in Tildearrow Furnace's inflate.C (zlib) Module

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24800
EUVD
EUVD-2026-4798
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tildearrow furnace From 2025-04-28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a classic buffer overflow caused by an out-of-bounds write in the inflate() function used for decompressing gzip data in the tildearrow furnace project. The issue originated because the inflate() function, cloned from the zlib library, did not include a critical security patch that fixed how the gzip header extra field is handled during decompression. This flaw could lead to writing data outside the intended buffer boundaries, potentially causing crashes or allowing an attacker to execute arbitrary code. [1]

Impact Analysis

This vulnerability can have severe impacts including application crashes, denial of service, or potentially arbitrary code execution if exploited. Since the inflate() function is used to decompress gzip data, an attacker could craft malicious compressed data that triggers the buffer overflow, compromising the security and stability of any system using the affected tildearrow furnace library. [1]

Mitigation Strategies

To mitigate this vulnerability, update the tildearrow furnace library to include the security patch that fixes the inflate() function's handling of the gzip header extra field. This patch, originally applied to the zlib library and merged into furnace in pull request #2471, corrects the out-of-bounds write issue. Applying this update will eliminate the security flaw. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24800. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart