Executive Summary

CVE-2026-4746 is an out-of-bounds write vulnerability found in the timeplus-io proton software, specifically in the inflate() function located in the base/poco/Foundation/src/inflate.c file. This function is a cloned version derived from the madler/zlib library. The vulnerability relates to improper handling of the gzip header extra field within the inflate() function, which can lead to memory corruption by writing outside the intended buffer boundaries.

The issue affects versions of proton before 1.6.16 and was fixed by applying a patch from the upstream madler/zlib repository that addressed the same underlying bug.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability has a critical impact with a CVSS base score of 10.0, indicating it can be exploited remotely without any privileges or user interaction. The out-of-bounds write can lead to severe consequences such as arbitrary code execution, system crashes, or other unpredictable behavior due to memory corruption.

Because the vulnerability can be triggered remotely and without authentication, attackers could potentially take full control of affected systems running vulnerable versions of proton.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

I don't know

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the CVE-2026-4746 vulnerability, you should update the timeplus-io proton software to version 1.6.16 or later, where the vulnerability has been patched.

The fix involves applying a patch to the vulnerable inflate() function in the base/poco/Foundation/src/inflate.c file, which addresses the bug related to handling the gzip header extra field.

Ensure that your software is using the updated code that includes the upstream fix from the madler/zlib repository, as incorporated in the pull request #943 merged on May 30, 2025.

Useful 0 Not Useful 0