CVE-2026-24828
Published: 27 January 2026
Summary
CVE-2026-24828 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-24828 is a Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) in Is-Daouda is-Engine. This issue affects is-Engine versions prior to 3.3.4 and was published on 2026-01-27. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Exploitation leads to high availability disruption through memory leaks, enabling denial-of-service conditions such as resource exhaustion without affecting confidentiality or integrity.
Mitigation involves upgrading to is-Engine version 3.3.4 or later. A patch addressing the issue is available in the GitHub pull request at https://github.com/Is-Daouda/is-Engine/pull/6.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4807
Vulnerability details
Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the memory leak directly enables T1190 (public-facing app exploitation) to achieve DoS via T1499.004 (application/system exploitation through resource exhaustion).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and timely remediation of the memory leak vulnerability in is-Engine versions prior to 3.3.4 via patching to version 3.3.4 or later.
Protects system resource availability, including memory, against exhaustion attacks like the DoS caused by this CVE's memory leak.
Implements protections against denial-of-service attacks, mitigating the high availability impact from remote exploitation of the memory leak.