Description
Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C.

This issue affects swoole-src: before 6.0.2.
Published: 2026-01-27
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Immediate Patch
AI Analysis

Impact

An integer overflow or wraparound flaw has been discovered in the swoole-src project, specifically within the third‑party hiredis modules and the sds.C source file. The vulnerability allows an attacker to supply crafted input that overflows an integer variable, potentially corrupting memory and causing undefined behavior. The high CVSS score of 10 reflects the critical risk of this flaw.

Affected Systems

The flaw affects all installations of swoole-src older than version 6.0.2. Users relying on the third‑party hiredis modules are particularly at risk. The affected components are within the swoole-src repository, identified as swoole:swoole-src.

Risk and Exploitability

The CVSS base score indicates a critical level of risk, and although the EPSS score is less than 1%, the vulnerability is not yet catalogued in CISA’s KEV list. The flaw resides in code that processes network or external input, but no explicit remote exploitation path is documented. An attacker could potentially trigger the overflow by sending crafted input to the hiredis component.

Generated by OpenCVE AI on April 18, 2026 at 14:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade swoole-src to version 6.0.2 or later, which contains the patched code.
  • If an immediate upgrade is not feasible, disable or remove the hiredis modules from the application configuration to eliminate the vulnerable code path.
  • Apply the individual patch from the official pull request (https://github.com/swoole/swoole-src/pull/5698) by manually replacing the affected sds.C file with the corrected version and rebuild the binary.

Generated by OpenCVE AI on April 18, 2026 at 14:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Swoole
Swoole swoole
Vendors & Products Swoole
Swoole swoole

Tue, 27 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2.
Title A integer overflow in swoole/swoole-src
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:U/V:C/RE:L/U:Red'}

Subscriptions

Swoole Swoole
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T20:42:37.813Z

Reserved: 2026-01-27T08:48:56.893Z

Link: CVE-2026-24814

cve-icon Vulnrichment

Updated: 2026-01-27T20:42:09.563Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T09:15:51.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24814

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:00:03Z

Weaknesses