CVE-2026-24812
Unknown Unknown - Not Provided
Buffer Overflow in root-project zlib Module (inftrees.C

Publication date: 2026-01-27

Last updated on: 2026-03-03

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24812
EUVD
EUVD-2026-4762
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
root-project root to 6.36.00-rc1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ROOT project's inflate_table() function, specifically in the inftrees.c file, which was cloned from the zlib library but did not receive an important security patch originally applied to zlib. The issue involves an unsafe offset pointer optimization that could be exploited. The vulnerability was fixed by applying the same patch from zlib to the ROOT project, removing the unsafe optimization to mitigate the risk. [1]

Impact Analysis

The vulnerability has a high severity score (CVSS 9.3) and could potentially allow an attacker to exploit the inflate_table() function remotely without privileges or user interaction, leading to significant impact such as data corruption, denial of service, or other severe consequences due to the compromised decompression process. [1]

Mitigation Strategies

To mitigate this vulnerability, you should update the ROOT project software to a version that includes the security fix applied to the inflate_table() function in inftrees.c. This fix removes the vulnerable offset pointer optimization cloned from zlib. Applying the patch from the ROOT project's pull request #18527 or upgrading to a version released after May 5, 2025, will address the issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24812. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart