This vulnerability is an integer overflow or wrap‑around in the Expat parser module of the InsightSoftwareConsortium ITK library. The overflow can lead to an out‑of‑bounds memory write when parsing certain data, which in turn may allow an attacker to execute arbitrary code and compromise the integrity and confidentiality of the application that uses ITK. The weakness is classified as CWE-190, a classic integer overflow flaw.

The vulnerable component is present in all versions of InsightSoftwareConsortium ITK before 2.7.1. Users deploying older ITK releases should verify that their system uses a pre‑2.7.1 version and consider updating to the supported release.

With a CVSS score of 9.4 the flaw is considered critical, placing it in the high‑threat category. While EPSS data is not available, the lack of any mitigation information in the CISA KEV catalogue implies that exploitation may still be possible in the wild. The attack likely requires the attacker to supply specially crafted data to the ITK parser, a scenario that can arise in any environment that processes untrusted input. The severity suggests the vulnerability can be exploited without user interaction and could lead to remote execute if the target application has sufficient privileges.