Description
Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C.

This issue affects root: through 6.36.00-rc1.
Published: 2026-01-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-bounds Read
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper pointer arithmetic in the zlib decompression routines within the root‑project, specifically in builtins/zlib/inftrees.c. This causes an out-of-bounds read (CWE‑125) that can corrupt memory and may expose sensitive data or lead to memory corruption. The exact consequences depend on the environment and input handling; execution of arbitrary code is a possibility but is not confirmed by the information provided.

Affected Systems

The issue affects the root‑project root software, impacting all releases through version 6.36.00‑rc1. Users running any of these released versions should verify their installed version and plan to upgrade to a patched release.

Risk and Exploitability

The CVSS score of 9.3 denotes critical severity, implying that exploitation could compromise confidentiality, integrity or availability. The EPSS score is reported as less than 1%, suggesting that exploitation at present is rare, but the vulnerability is not listed in the CISA KEV catalog, meaning there is no known active exploitation. Based on the nature of the flaw, the attack vector is likely remote, triggered by malicious compressed input sent over a network or from compromised files; this inference is drawn from the involvement of zlib decompression routines.

Generated by OpenCVE AI on April 18, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest version of the root project where the pointer arithmetic error has been corrected (see the project release notes for changes beyond 6.36.00‑rc1).
  • If an immediate upgrade is not possible, restrict decompression of zlib data to sources that are already trusted, and enforce strict validation of the input before processing.
  • Monitor system logs and common exploitation patterns for signs of memory corruption or sudden crashes that could indicate an attempt to exploit the flaw.

Generated by OpenCVE AI on April 18, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125

Thu, 19 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
References

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Riot Project
Riot Project riot
Vendors & Products Riot Project
Riot Project riot

Tue, 27 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1.
Title An improper pointer arithmetic in root-project/root at builtins/zlib/inftrees.c
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/S:N/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Riot Project Riot
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-03T15:56:14.627Z

Reserved: 2026-01-27T08:39:10.281Z

Link: CVE-2026-24812

cve-icon Vulnrichment

Updated: 2026-02-19T16:11:14.745Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:51.567

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24812

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T02:30:15Z

Weaknesses