Description
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.
Published: 2026-04-08
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Update Package
AI Analysis

Impact

The vulnerability resides in the ISO9660 filesystem parser of Sleuth Kit versions up to 4.14.0. The parse_susp() routine accepts len_id, len_des, and len_src values from the disk image and copies that many bytes into a stack buffer without validating that the source data is within the parsed SUSP block. An attacker can supply a malicious ISO image that makes the routine read past the end of the buffer and can also inject a zero‑length SUSP entry that results in an infinite parsing loop. The result is an out‑of‑bounds read, possible disclosure of nearby memory, and a crash or denial of service. This falls under the CWE‑125 category of out‑of‑bounds read.

Affected Systems

The affected product is Sleuth Kit from the sleuthkit organization. Versions up to and including 4.14.0 are impacted. Users should refer to the commit a95b0ac and the pull request 3445 that contain the fix.

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate risk. The EPSS score is not provided, so the likelihood of exploitation remains unclear, but the vulnerability is not listed in the Known Exploited Vulnerabilities catalog. Since the flaw can be triggered by a crafted ISO image, it requires local access or the ability to supply an ISO to the target system. An attacker could cause the system running Sleuth Kit to hang or crash, but there is no evidence of remote code execution or data exfiltration. The attack vector is inferred to be local file processing.

Generated by OpenCVE AI on April 8, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sleuth Kit to a release newer than 4.14.0 or apply the patch from commit a95b0ac.
  • If an immediate upgrade is not possible, restrict the use of Sleuth Kit to trusted ISO images only and quarantine untrusted images.
  • Validate ISO images with a trusted source before processing them with Sleuth Kit.

Generated by OpenCVE AI on April 8, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sleuthkit:the_sleuth_kit:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Sleuthkit
Sleuthkit the Sleuth Kit
Vendors & Products Sleuthkit
Sleuthkit the Sleuth Kit

Wed, 08 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.
Title Sleuth Kit ISO9660 SUSP Extension Reference Out-of-Bounds Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Sleuthkit The Sleuth Kit
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-09T19:39:36.707Z

Reserved: 2026-04-08T13:36:44.872Z

Link: CVE-2026-40026

cve-icon Vulnrichment

Updated: 2026-04-09T19:38:30.612Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T22:16:22.780

Modified: 2026-04-17T17:14:18.190

Link: CVE-2026-40026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:25:56Z

Weaknesses