CVE-2026-24811
Published: 27 January 2026
Summary
CVE-2026-24811 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Root Root. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24811 is a vulnerability in the root-project ROOT software, specifically affecting the builtins/zlib modules and associated with the program file inffast.C. Published on 2026-01-27T09:15:51.440, this issue impacts ROOT and is linked to CWEs including CWE-20 (Improper Input Validation), CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-125 (Out-of-bounds Read), and CWE-787 (Out-of-bounds Write). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
The vulnerability enables exploitation over the network by unauthenticated attackers (PR:N) with low complexity and no user interaction required. Successful exploitation can result in high impacts on confidentiality, integrity, and availability, potentially allowing full system compromise through arbitrary code execution or denial of service.
Advisories reference a patch in GitHub pull request #18526 at https://github.com/root-project/root/pull/18526. Additional guidance on recent vulnerabilities and when ROOT needs updating appears in the CERN ROOT blog at https://root.cern/blog/recent-common-vulnerabilities-when-does-ROOT-need-to-be-updated/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4830
Vulnerability details
Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Critical remote unauthenticated RCE via memory corruption (out-of-bounds read/write) in network-reachable zlib code path directly enables T1190 Exploit Public-Facing Application; no user interaction or prior access required per CVSS vector.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires identifying, reporting, and correcting flaws like the buffer overflow in ROOT's zlib module via the available patch in GitHub PR #18526.
SI-16 implements memory protections such as DEP and ASLR to prevent exploitation of out-of-bounds reads/writes and arbitrary code execution from this memory corruption vulnerability.
SI-10 enforces input validation to mitigate CWE-20 improper input validation that triggers the buffer issues in the zlib inffast.C module.