Description
Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src‎ modules). This vulnerability is associated with program files inflate.C.

This issue affects proton: before 1.6.16.
Published: 2026-03-24
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption potentially leading to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

This entry describes an out-of-bounds write vulnerability located in the proton project’s base/poco/Foundation/src modules, specifically involving program files inflate.C. The flaw can corrupt internal data structures, which is a classic memory corruption weakness, identified as CWE-787. If successfully exploited, the attacker may gain the ability to execute arbitrary code or compromise the integrity of the affected application. The description does not provide explicit details on confidentiality or availability impact, but arbitrary code execution is typically severe.

Affected Systems

The vulnerability affects the timeplus-io Proton software, impacting all releases before version 1.6.16. Users running Proton 1.6.15 or earlier are therefore exposed. No additional vendor or system details are listed in the CVE record.

Risk and Exploitability

The CVSS score for this issue is 10, indicating maximum severity. The EPSS score is not available, and the vulnerability is not included in the CISA KEV catalog. An attacker would need to trigger the out-of-bounds write, likely by interacting with the inflate.C component; the exact attack vector is not explicitly stated, so it is inferred that exploitation would require some form of interaction with Proton’s processing of certain inputs. Given the high severity score and absence of mitigation hints, the risk is considered high.

Generated by OpenCVE AI on March 24, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Proton patch by upgrading to version 1.6.16 or newer.

Generated by OpenCVE AI on March 24, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Timeplus-io
Timeplus-io proton
Vendors & Products Timeplus-io
Timeplus-io proton

Tue, 24 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src‎ modules). This vulnerability is associated with program files inflate.C. This issue affects proton: before 1.6.16.
Title Heap Buffer Over-Write Vulenrabilty in timeplus-io/proton
Weaknesses CWE-787
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Timeplus-io Proton
cve-icon MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published:

Updated: 2026-03-24T18:25:06.762Z

Reserved: 2026-03-24T03:28:09.194Z

Link: CVE-2026-4746

cve-icon Vulnrichment

Updated: 2026-03-24T18:25:03.318Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T05:16:25.937

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:13Z

Weaknesses