Description
Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C.
Published: 2026-01-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a classic buffer overflow caused by an out‑of‑bounds write in the inflate.C module of the Furnace project, which uses external zlib. The overflow happens during a buffer copy that does not verify the size of the input, allowing an attacker to overwrite adjacent heap memory. This can corrupt program state and, if successfully abused, lead to arbitrary code execution or denial of service. The weakness aligns with CWE-120 and CWE-787.

Affected Systems

The affected product is Furnace by tildearrow. All deployments of Furnace that include the zlib inflate.C implementation prior to the fix introduced in pull request 2471 are vulnerable. No specific version range is listed; the issue is tied to the code present before that PR.

Risk and Exploitability

The CVSS score is 10, indicating maximum severity. The EPSS is less than 1%, suggesting very low exploitation probability currently, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, as an adversary can craft a malicious compressed stream sent to a process that will parse it. Successful exploitation would require the target running the vulnerable version of Furnace and the ability to supply the crafted input, making the condition a simple remote injection. Given the high score but low EPSS, the risk remains high for targeted or pre‑planned attacks, and it is prudent to remediate promptly.

Generated by OpenCVE AI on April 18, 2026 at 02:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch introduced by pull request 2471 or upgrade Furnace to a version that includes the fix.
  • Validate the size of compressed data before processing or enforce strict input sanitation in the inflate function to prevent buffer overflow.
  • If upgrading is not possible, consider disabling or removing the zlib inflate functionality or isolating Furnace processes in a restricted network segment to limit exposure.

Generated by OpenCVE AI on April 18, 2026 at 02:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tildearrow
Tildearrow furnace
Vendors & Products Tildearrow
Tildearrow furnace

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C.
Title A heap-based buffer over-read or buffer overflow in tildearrow/furnace
Weaknesses CWE-120
CWE-787
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:L/U:Red'}

Subscriptions

Tildearrow Furnace
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T17:02:21.459Z

Reserved: 2026-01-27T08:18:43.268Z

Link: CVE-2026-24800

cve-icon Vulnrichment

Updated: 2026-01-27T17:02:17.596Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:49.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses