Description
`bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`’s embedded unrar code has a heap‑buffer‑overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out‑of‑bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available.
Published: 2026-01-28
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Monitor
AI Analysis

Impact

bulk_extractor includes embedded unrar code that contains a heap-based buffer overflow in the RAR PPM LZ decoding path starting with version 1.4. When a specially crafted RAR archive is embedded inside a disk image, the Unpack::CopyString function performs an out-of-bounds write, which can crash the program or corrupt memory. The resulting corruption gives an attacker the potential to achieve remote code execution. The flaw is a classic heap overflow (CWE122) and an out-of-bounds write (CWE787).

Affected Systems

The vulnerability affects the bulk_extractor forensic tool produced by Simson Garfinkel. Versions 1.4 and newer are impacted because the fault appears in the embedded unrar code shipped with 1.4 and later releases.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, while the EPSS score of less than 1 % implies low exploitation likelihood at present. The flaw is not listed in the CISA KEV catalog. Attack vectors are likely local: an attacker must supply a malicious disk image that contains a specially crafted RAR archive. If an attacker can perform the extraction on a system where bulk_extractor runs, the memory corruption could lead to arbitrary code execution, compromising the host. The absence of an available patch means the risk remains until a fix is released.

Generated by OpenCVE AI on April 18, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Do not run bulk_extractor on disk images containing RAR archives from untrusted sources.
  • Validate or extract RAR archives with a reliable external tool before feeding the file into bulk_extractor, ensuring that only properly formatted data is processed.
  • Run bulk_extractor inside a sandboxed or containerized environment to contain potential exploitation, limiting the impact on the host system.
  • Monitor the system for unexpected crashes or signs of memory corruption that could indicate exploitation.
  • Regularly check the vendor’s repository and security advisories for an upcoming patch or update, and upgrade as soon as a fix becomes available.

Generated by OpenCVE AI on April 18, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:simsong:bulk_extractor:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Simsong
Simsong bulk Extractor
Vendors & Products Simsong
Simsong bulk Extractor

Wed, 28 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Description `bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`’s embedded unrar code has a heap‑buffer‑overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out‑of‑bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available.
Title bulk_extractor has Heap-based Buffer Overflow vulnerability
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Simsong Bulk Extractor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T18:01:12.601Z

Reserved: 2026-01-27T14:51:03.061Z

Link: CVE-2026-24857

cve-icon Vulnrichment

Updated: 2026-01-29T16:03:06.194Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T22:15:56.350

Modified: 2026-02-09T16:47:23.343

Link: CVE-2026-24857

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:45:33Z

Weaknesses