The flaw lies in an improper pointer arithmetic in the 'inffast.c' module of the ROOT application, a component that processes ZIP/deflate streams. This incorrect arithmetic can corrupt memory, potentially allowing an attacker to execute arbitrary code on the target system. The vulnerability is classified as a memory corruption weakness and may let malicious data trigger arbitrary code execution when the ROOT application decompresses input files. The damage could include full system compromise, data loss, and persistence if the attacker gains sufficient privileges. Based on the description, it is inferred that the attack vector may involve crafted compressed inputs delivered to ROOT, but no specific evidence of remote exploitation is provided. The risk to confidentiality, integrity, and availability is therefore severe.

Vulnerable systems include installations of the root-project ROOT software. The affected vendor is root-project and product ROOT. Exact product versions are not specified in the advisory, so users should consult the vendor or the referenced pull request to verify which releases incorporate the fix. In the absence of version data, any deployment that has not applied the patch from PR 18526 should be considered vulnerable.

The CVSS v3.1 score of 9.3 indicates critical severity, with high impact and multiple attack vectors. The EPSS score is reported as less than 1%, implying that successful exploitation is currently considered unlikely but not impossible. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. An attacker would need to supply specially crafted compressed data that triggers the faulty pointer arithmetic; once triggered, memory corruption could lead to code execution. Because ROOT often processes user-supplied data, the practical risk to exposed services is significant even though the current observed exploit probability remains low.