CVE-2026-24812
Buffer Overflow in root-project zlib Module (inftrees.C
Publication date: 2026-01-27
Last updated on: 2026-03-03
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| root-project | root | to 6.36.00-rc1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the ROOT project's inflate_table() function, specifically in the inftrees.c file, which was cloned from the zlib library but did not receive an important security patch originally applied to zlib. The issue involves an unsafe offset pointer optimization that could be exploited. The vulnerability was fixed by applying the same patch from zlib to the ROOT project, removing the unsafe optimization to mitigate the risk. [1]
How can this vulnerability impact me? :
The vulnerability has a high severity score (CVSS 9.3) and could potentially allow an attacker to exploit the inflate_table() function remotely without privileges or user interaction, leading to significant impact such as data corruption, denial of service, or other severe consequences due to the compromised decompression process. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the ROOT project software to a version that includes the security fix applied to the inflate_table() function in inftrees.c. This fix removes the vulnerable offset pointer optimization cloned from zlib. Applying the patch from the ROOT project's pull request #18527 or upgrading to a version released after May 5, 2025, will address the issue. [1]