Cyber Resilience

CVE-2026-24828

High

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0008 23.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24828 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24828 is a Missing Release of Memory after Effective Lifetime vulnerability (CWE-401) in Is-Daouda is-Engine. This issue affects is-Engine versions prior to 3.3.4 and was published on 2026-01-27. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impacts.

Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Exploitation leads to high availability disruption through memory leaks, enabling denial-of-service conditions such as resource exhaustion without affecting confidentiality or integrity.

Mitigation involves upgrading to is-Engine version 3.3.4 or later. A patch addressing the issue is available in the GitHub pull request at https://github.com/Is-Daouda/is-Engine/pull/6.

EU & UK References

Vulnerability details

Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine.This issue affects is-Engine: before 3.3.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of the memory leak directly enables T1190 (public-facing app exploitation) to achieve DoS via T1499.004 (application/system exploitation through resource exhaustion).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25988Shared CWE-401
CVE-2025-1634Shared CWE-401
CVE-2026-25969Shared CWE-401
CVE-2025-20239Shared CWE-401
CVE-2025-56353Shared CWE-401
CVE-2026-31711Shared CWE-401
CVE-2025-21091Shared CWE-401
CVE-2026-25796Shared CWE-401
CVE-2026-23095Shared CWE-401
CVE-2026-3104Shared CWE-401

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identification, reporting, and timely remediation of the memory leak vulnerability in is-Engine versions prior to 3.3.4 via patching to version 3.3.4 or later.

prevent

Protects system resource availability, including memory, against exhaustion attacks like the DoS caused by this CVE's memory leak.

prevent

Implements protections against denial-of-service attacks, mitigating the high availability impact from remote exploitation of the memory leak.

References