CVE-2026-24826
Unknown Unknown - Not Provided
Multiple Memory Corruption Vulnerabilities in Cadaver Turso3d

Publication date: 2026-01-27

Last updated on: 2026-01-27

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d.This issue affects .
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-01-27
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24826
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cadaver turso3d *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-369 The product divides a value by zero.
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-908 The product uses or accesses a resource that has not been initialized.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the turso3d project arises from using cloned third-party code (specifically from the nothings/stb repository) without applying important upstream security patches. It includes multiple issues such as out-of-bounds write, divide by zero, NULL pointer dereference, use of uninitialized resource, out-of-bounds read, and reachable assertion failures. These stem from flaws in the copied file ThirdParty/STB/stb_vorbis.h, which correspond to several CVEs fixed in the original repository. The vulnerabilities affect functions like start_decoder(), compute_codewords(), vorbis_decode_packet_rest(), draw_line(), lookup1_values(), get_window(), and predict_point(). The fix involved applying the original patches to the cloned code to eliminate these security problems. [1]

Impact Analysis

This vulnerability can have severe impacts including potential remote code execution, application crashes, denial of service, and data corruption due to memory safety issues like buffer overflows, use of uninitialized memory, and NULL pointer dereferences. Because the CVSS score is 10.0 with network attack vector and no required privileges or user interaction, an attacker can exploit these flaws remotely with high impact on confidentiality, integrity, and availability of the affected system. [1]

Mitigation Strategies

To mitigate this vulnerability, update the turso3d project to include the security patches applied to the cloned ThirdParty/STB/stb_vorbis.h file. Specifically, apply the patch from the original nothings/stb repository that fixes multiple vulnerabilities including heap buffer overflow, use of uninitialized memory, out-of-range reads, NULL pointer dereferences, and division by zero errors. This fix was merged into the turso3d master branch on December 1, 2025, so upgrading to the latest version containing this patch will mitigate the issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24826. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart