CVE-2026-4746
Out-of-Bounds Write in timeplus-io proton inflate.C Module
Publication date: 2026-03-24
Last updated on: 2026-03-24
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| timeplus-io | proton | to 1.6.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4746 is an out-of-bounds write vulnerability found in the timeplus-io proton software, specifically in the inflate() function located in the base/poco/Foundation/src/inflate.c file. This function is a cloned version derived from the madler/zlib library. The vulnerability relates to improper handling of the gzip header extra field within the inflate() function, which can lead to memory corruption by writing outside the intended buffer boundaries.
The issue affects versions of proton before 1.6.16 and was fixed by applying a patch from the upstream madler/zlib repository that addressed the same underlying bug.
How can this vulnerability impact me? :
This vulnerability has a critical impact with a CVSS base score of 10.0, indicating it can be exploited remotely without any privileges or user interaction. The out-of-bounds write can lead to severe consequences such as arbitrary code execution, system crashes, or other unpredictable behavior due to memory corruption.
Because the vulnerability can be triggered remotely and without authentication, attackers could potentially take full control of affected systems running vulnerable versions of proton.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-4746 vulnerability, you should update the timeplus-io proton software to version 1.6.16 or later, where the vulnerability has been patched.
The fix involves applying a patch to the vulnerable inflate() function in the base/poco/Foundation/src/inflate.c file, which addresses the bug related to handling the gzip header extra field.
Ensure that your software is using the updated code that includes the upstream fix from the madler/zlib repository, as incorporated in the pull request #943 merged on May 30, 2025.