Description
Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C.

This issue affects cupoch.
Published: 2026-01-27
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential arbitrary code execution via memory corruption
Action: Patch
AI Analysis

Impact

This vulnerability arises from missing bounds checking in cupoch's libjpeg‑turbo module, allowing an out‑of‑bounds write when processing tjbench.C files. The write can corrupt memory, potentially granting an attacker the ability to execute arbitrary code, cause denial of service, or disclose confidential data, consistent with CWE‑787.

Affected Systems

The issue affects the cupoch project maintained by neka‑nat. It specifically targets the libjpeg‑turbo components used by cupoch when handling tjbench.C inputs. No version range is supplied, so all releases using the affected code path may be vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% and absence from CISA's KEV list suggest exploitation is currently unlikely, but the vulnerability remains exploitable if an attacker can influence input to the vulnerable module. The attack vector is not explicitly documented; based on the description of tjbench.C processing, it is inferred that an attacker could trigger the write by supplying crafted tjbench.C data or by manipulating file handling routines.

Generated by OpenCVE AI on April 18, 2026 at 02:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest cupoch release from GitHub, which includes the bounds‑check fix in libjpeg‑turbo.
  • If immediate upgrade is not feasible, restrict tjbench.C file processing to trusted users and implement additional input validation or bounds checks before performing writes in the vulnerable code.
  • Review the source code of the libjpeg‑turbo module to confirm removal of the missing bounds check; if necessary, apply a temporary patch that adds explicit bounds verification before memory writes.

Generated by OpenCVE AI on April 18, 2026 at 02:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Neka-nat
Neka-nat cupoch
Vendors & Products Neka-nat
Neka-nat cupoch

Tue, 27 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C. This issue affects cupoch.
Title An out of bounds write due to a missing bounds check in neka-nat/cupoch
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L/AU:Y/R:A/RE:M/U:Amber'}

Subscriptions

Neka-nat Cupoch
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T21:38:37.425Z

Reserved: 2026-01-27T08:18:43.268Z

Link: CVE-2026-24797

cve-icon Vulnrichment

Updated: 2026-01-27T21:09:40.532Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:49.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24797

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses