Cyber Resilience

CVE-2026-24811

Critical

Published: 27 January 2026

Published
27 January 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Amber
EPSS Score 0.0030 21.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24811 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Root Root. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24811 is a vulnerability in the root-project ROOT software, specifically affecting the builtins/zlib modules and associated with the program file inffast.C. Published on 2026-01-27T09:15:51.440, this issue impacts ROOT and is linked to CWEs including CWE-20 (Improper Input Validation), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-125 (Out-of-bounds Read), and CWE-787 (Out-of-bounds Write). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

The vulnerability enables exploitation over the network by unauthenticated attackers (PR:N) with low complexity and no user interaction required. Successful exploitation can result in high impacts on confidentiality, integrity, and availability, potentially allowing full system compromise through arbitrary code execution or denial of service.

Advisories reference a patch in GitHub pull request #18526 at https://github.com/root-project/root/pull/18526. Additional guidance on recent vulnerabilities and when ROOT needs updating appears in the CERN ROOT blog at https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Critical remote unauthenticated RCE via memory corruption (out-of-bounds read/write) in network-reachable zlib code path directly enables T1190 Exploit Public-Facing Application; no user interaction or prior access required per CVSS vector.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0569Shared CWE-119, CWE-787
CVE-2026-7668Shared CWE-119, CWE-125
CVE-2026-1668Shared CWE-20, CWE-787
CVE-2026-3703Shared CWE-119, CWE-787
CVE-2026-2940Shared CWE-119, CWE-787
CVE-2025-0568Shared CWE-119, CWE-787
CVE-2026-4961Shared CWE-119, CWE-787
CVE-2025-8243Shared CWE-119, CWE-787
CVE-2026-5212Shared CWE-119, CWE-787
CVE-2026-5211Shared CWE-119, CWE-787

Affected Assets

root
root
≤ 6.34.08

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

SI-2 requires identifying, reporting, and correcting flaws like the buffer overflow in ROOT's zlib module via the available patch in GitHub PR #18526.

prevent

SI-16 implements memory protections such as DEP and ASLR to prevent exploitation of out-of-bounds reads/writes and arbitrary code execution from this memory corruption vulnerability.

prevent

SI-10 enforces input validation to mitigate CWE-20 improper input validation that triggers the buffer issues in the zlib inffast.C module.

References