Description
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes.
Published: 2026-04-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the APFS keybag parser within Sleuth Kit versions up to 4.14.0. An attacker can supply an APFS disk image that contains crafted length fields; the wrapped_key_parser routine follows these fields without performing bounds checking, resulting in a heap read that exceeds the allocated buffer. The read can expose data beyond the intended scope or cause the processing tool to crash. This type of flaw is categorized as CWE‑125 (Out‑of‑Bounds Read).

Affected Systems

Sleuth Kit, the open‑source digital forensics framework, is affected when processing APFS volumes. All versions of the Sleuth Kit up to and including 4.14.0 that provide APFS keybag parsing functionality are vulnerable; newer releases may have addressed the issue. Users running any Sleuth Kit tools that analyze APFS volumes on untrusted or potentially malicious disk images are at risk.

Risk and Exploitability

The CVSS score of 4.8 indicates a medium severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, further indicating limited known exploitation. The attack vector requires an attacker-controlled APFS disk image to be processed by the tool; therefore, exposure generally occurs when individuals or automated workflows ingest malicious or compromised disk images. Prompt patching mitigates the risk, as the flaw cannot be partially mitigated by configuration alone.

Generated by OpenCVE AI on April 13, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sleuth Kit to the latest available release that removes the out‑of‑bounds read issue; if a newer version is not yet published, apply the patch provided in the referenced commit or update the repository to the fixed code branch.
  • Avoid processing untrusted APFS disk images with older versions of Sleuth Kit until a secure version is deployed.
  • Monitor the Sleuth Kit project’s repository, issue tracker, and security advisories for an official fix or further guidance.

Generated by OpenCVE AI on April 13, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sleuthkit:the_sleuth_kit:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Sleuthkit
Sleuthkit the Sleuth Kit
Vendors & Products Sleuthkit
Sleuthkit the Sleuth Kit

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes.
Title Sleuth Kit APFS Keybag Parser Out-of-Bounds Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Sleuthkit The Sleuth Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-09T16:16:39.403Z

Reserved: 2026-04-08T13:36:42.932Z

Link: CVE-2026-40025

cve-icon Vulnrichment

Updated: 2026-04-09T15:03:20.256Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:22.603

Modified: 2026-04-15T20:52:40.717

Link: CVE-2026-40025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:37:02Z

Weaknesses