CVE-2026-24812
Unknown Unknown - Not Provided

Buffer Overflow in root-project zlib Module (inftrees.C

Vulnerability report for CVE-2026-24812, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-27

Last updated on: 2026-03-03

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description

Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-27
Last Modified
2026-03-03
Generated
2026-07-06
AI Q&A
2026-01-27
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
root-project root to 6.36.00-rc1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the ROOT project's inflate_table() function, specifically in the inftrees.c file, which was cloned from the zlib library but did not receive an important security patch originally applied to zlib. The issue involves an unsafe offset pointer optimization that could be exploited. The vulnerability was fixed by applying the same patch from zlib to the ROOT project, removing the unsafe optimization to mitigate the risk. [1]

Impact Analysis

The vulnerability has a high severity score (CVSS 9.3) and could potentially allow an attacker to exploit the inflate_table() function remotely without privileges or user interaction, leading to significant impact such as data corruption, denial of service, or other severe consequences due to the compromised decompression process. [1]

Mitigation Strategies

To mitigate this vulnerability, you should update the ROOT project software to a version that includes the security fix applied to the inflate_table() function in inftrees.c. This fix removes the vulnerable offset pointer optimization cloned from zlib. Applying the patch from the ROOT project's pull request #18527 or upgrading to a version released after May 5, 2025, will address the issue. [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart