Description
Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in davisking dlib (dlib/external/zlib modules). This vulnerability is associated with program files inflate.C.

This issue affects dlib: before v19.24.9.
Published: 2026-01-27
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out‑of‑bounds buffer overflow in dlib
Action: Apply Patch
AI Analysis

Impact

A heap‑based buffer over‑read or overflow exists in the dlib library, caused by a buffer copy that does not verify the size of the input. This flaw is associated with the inflate.C module and may allow an attacker to corrupt memory, potentially leading to arbitrary code execution or denial of service. The weakness matches CWE‑120 and CWE‑787, both indicating classic buffer overflow vulnerabilities.

Affected Systems

The issue affects the dlib library from the vendor davisking and impacts any installations of dlib prior to version 19.24.9.

Risk and Exploitability

The CVSS score of 5.2 indicates moderate severity, while the EPSS score of less than 1% points to a very low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, reducing immediate exposure. Based on the description, it is inferred that exploitation would require delivery of a crafted payload to the inflate.C routine, which processes external input streams. Based on the description, it is inferred that if the attacker gains sufficient privileges to run code within the dlib context, the memory corruption could be leveraged for privilege escalation or arbitrary code execution.

Generated by OpenCVE AI on April 18, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dlib to version 19.24.9 or later, following the fix identified in PR 3063.
  • If an upgrade is temporarily infeasible, disable or remove the inflate.C functionality from your deployment or enforce strict input size validation before it is called.
  • Consider compiling dlib with runtime bounds checking or using tools such as AddressSanitizer during development to detect similar over‑read situations.

Generated by OpenCVE AI on April 18, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Davisking
Davisking dlib
Vendors & Products Davisking
Davisking dlib

Tue, 27 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in davisking dlib (dlib/external/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects dlib: before v19.24.9.
Title A heap-based buffer over-read or buffer overflow in davisking/dlib
Weaknesses CWE-120
CWE-787
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:H/SC:N/SI:L/SA:L/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Davisking Dlib
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T15:29:38.861Z

Reserved: 2026-01-27T08:18:43.268Z

Link: CVE-2026-24799

cve-icon Vulnrichment

Updated: 2026-01-27T15:29:29.411Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:49.787

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses