CVE-2026-24826
Multiple Memory Corruption Vulnerabilities in Cadaver Turso3d
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cadaver | turso3d | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
| CWE-369 | The product divides a value by zero. |
| CWE-617 | The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary. |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the turso3d project arises from using cloned third-party code (specifically from the nothings/stb repository) without applying important upstream security patches. It includes multiple issues such as out-of-bounds write, divide by zero, NULL pointer dereference, use of uninitialized resource, out-of-bounds read, and reachable assertion failures. These stem from flaws in the copied file ThirdParty/STB/stb_vorbis.h, which correspond to several CVEs fixed in the original repository. The vulnerabilities affect functions like start_decoder(), compute_codewords(), vorbis_decode_packet_rest(), draw_line(), lookup1_values(), get_window(), and predict_point(). The fix involved applying the original patches to the cloned code to eliminate these security problems. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including potential remote code execution, application crashes, denial of service, and data corruption due to memory safety issues like buffer overflows, use of uninitialized memory, and NULL pointer dereferences. Because the CVSS score is 10.0 with network attack vector and no required privileges or user interaction, an attacker can exploit these flaws remotely with high impact on confidentiality, integrity, and availability of the affected system. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the turso3d project to include the security patches applied to the cloned ThirdParty/STB/stb_vorbis.h file. Specifically, apply the patch from the original nothings/stb repository that fixes multiple vulnerabilities including heap buffer overflow, use of uninitialized memory, out-of-range reads, NULL pointer dereferences, and division by zero errors. This fix was merged into the turso3d master branch on December 1, 2025, so upgrading to the latest version containing this patch will mitigate the issue. [1]