CVE-2026-24821
Out-of-Bounds Read in WickedEngine lparser.C Module
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| turanszkij | wickedengine | to 0.71.727 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an Out-of-bounds Read issue in the WickedEngine's LUA modules, specifically related to the program file lparser.C. It involves reading memory outside the intended bounds, which can lead to incorrect behavior or potential security risks. The vulnerability is linked to how certain functions handle data, and it affects WickedEngine versions up to 0.71.727.
How can this vulnerability impact me? :
The Out-of-bounds Read vulnerability can lead to exposure of sensitive information or cause the program to behave unpredictably, potentially allowing attackers to exploit the system. Given the high CVSS score (9.3), it indicates a severe impact with network attack vector and no required privileges or user interaction, meaning it can be exploited remotely and easily, potentially compromising system confidentiality and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update WickedEngine to a version that includes the security patch applied in pull request #1095, merged on May 3, 2025. This patch fixes the vulnerable function singlevar() by applying the same fix that was done in Lua to prevent out-of-bounds reads. Applying this update will eliminate the vulnerability associated with CVE-2026-24821. [1]