CVE-2026-24828
Published: 27 January 2026
Summary
CVE-2026-24828 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the memory leak directly enables T1190 (public-facing app exploitation) to achieve DoS via T1499.004 (application/system exploitation through resource exhaustion).
NVD Description
Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.
Deeper analysisAI
CVE-2026-24828 is a Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) in Is-Daouda is-Engine. This issue affects is-Engine versions prior to 3.3.4 and was published on 2026-01-27. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Exploitation leads to high availability disruption through memory leaks, enabling denial-of-service conditions such as resource exhaustion without affecting confidentiality or integrity.
Mitigation involves upgrading to is-Engine version 3.3.4 or later. A patch addressing the issue is available in the GitHub pull request at https://github.com/Is-Daouda/is-Engine/pull/6.
Details
- CWE(s)