Description
Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.
Published: 2026-01-27
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Immediate Patch
AI Analysis

Impact

The xray‑monolith component suffers a type‑confusion flaw where a value of one type is accessed using an incompatible type. Such misuse of type handling can corrupt memory, causing unexpected reads or writes that may undermine confidentiality, integrity, and availability if an attacker can trigger the behavior. The high severity score of 9.1 reflects the potential for deep compromise.

Affected Systems

The vulnerability applies to the xray‑monolith released by themrdemonized. Any deployment of the component prior to the 2025.12.30 release is considered affected; the CVE description does not enumerate additional minor revisions.

Risk and Exploitability

The CVSS score of 9.1 marks the flaw as critical. Its EPSS score is < 1%, indicating a low current exploitation probability, and it is not listed in the CISA KEV catalog. Based on the nature of a type‑confusion bug and the fact that the service is a network‑facing process, it is inferred that a remote attacker could potentially exploit the flaw via a client request, but no documented exploitation vector is provided at this time.

Generated by OpenCVE AI on April 18, 2026 at 20:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the xray‑monolith component to version 2025.12.30 or later, as the fix for the type‑confusion flaw is included in that release.
  • If an immediate upgrade is infeasible, isolate the service from untrusted networks by placing it behind a firewall or restricting it to an internal subnet, thereby limiting exposure.
  • Apply strict runtime type validation or disable any unsafe type coercion within the application code to mitigate the underlying type‑confusion weakness identified by CWE‑843.

Generated by OpenCVE AI on April 18, 2026 at 20:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Themrdemonized
Themrdemonized xray-monolith
Vendors & Products Themrdemonized
Themrdemonized xray-monolith

Tue, 27 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
Description Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.
Title Type confusion in xray-monolith
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Themrdemonized Xray-monolith
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-01-27T16:48:38.430Z

Reserved: 2026-01-27T15:46:29.599Z

Link: CVE-2026-24874

cve-icon Vulnrichment

Updated: 2026-01-27T16:48:32.284Z

cve-icon NVD

Status : Deferred

Published: 2026-01-27T16:16:36.880

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses