CVE-2026-24829
Heap-Based Buffer Overflow in is-Engine Before
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| is-daouda | is-engine | to 3.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a heap-based buffer overflow caused by an out-of-bounds write in the is-Engine software before version 3.3.4. It originated from cloned code derived from the libjpeg-turbo project that did not receive a security patch applied to the original code. This flaw allows writing outside the allocated memory buffer, which can lead to crashes or other unintended behavior. [1]
How can this vulnerability impact me? :
The vulnerability can cause a denial of service or application crash due to the heap-based buffer overflow. According to the CVSS score, it has a high impact on availability (A:H) but does not affect confidentiality or integrity. An attacker could potentially exploit this vulnerability remotely without privileges, but user interaction is required.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update is-Engine to version 3.3.4 or later where the security patch has been applied. The patch aligns the cloned code with the secure version from libjpeg-turbo, eliminating the out-of-bounds write and heap-based buffer overflow issue. [1]