Cyber Resilience

CVE-2026-24857

MediumPublic PoC

Published: 28 January 2026

Published
28 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-24857 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Simsong Bulk Extractor. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-24857 is a heap buffer overflow vulnerability in the embedded unrar code of bulk_extractor, a digital forensics tool used for data extraction. The issue affects versions starting from 1.4 and occurs in the RAR PPM LZ decoding path, specifically within the Unpack::CopyString function. Processing a crafted RAR archive embedded in a disk image triggers an out-of-bounds write, resulting in a crash when detected by AddressSanitizer (ASAN) and likely causing crashes or memory corruption in production builds. The vulnerability is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), earning a CVSS v3.1 base score of 9.8.

The vulnerability can be exploited remotely by any unauthenticated attacker with network access, requiring low complexity and no user interaction or privileges. An attacker crafts a malicious RAR file within a disk image and induces a target system running bulk_extractor to process it, leading to memory corruption. While immediate effects include application crashes, the flaw has potential for remote code execution (RCE) due to the nature of the heap overflow.

The primary advisory, published on GitHub at https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q, confirms no patches are available as of the CVE publication date. Security practitioners should avoid processing untrusted disk images with affected bulk_extractor versions until a fix is released, opting for isolated environments or alternative tools for forensic analysis in the interim.

EU & UK References

Vulnerability details

`bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`’s embedded unrar code has a heap‑buffer‑overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out‑of‑bounds write in `Unpack::CopyString`, leading to…

more

a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Heap buffer overflow in bulk_extractor RAR parser enables remote unauthenticated RCE via crafted disk image input (no user interaction), directly supporting server-side exploitation of public-facing analysis services (T1190) or client-side exploitation when victims process attacker-supplied images (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5403Shared CWE-122, CWE-787
CVE-2025-21273Shared CWE-122
CVE-2026-8507Shared CWE-787
CVE-2026-27648Shared CWE-787
CVE-2025-58447Shared CWE-122, CWE-787
CVE-2025-53853Shared CWE-122
CVE-2025-49673Shared CWE-122
CVE-2025-54574Shared CWE-122, CWE-787
CVE-2026-31789Shared CWE-787
CVE-2025-53557Shared CWE-122

Affected Assets

simsong
bulk extractor
≥ 1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates monitoring for patches or workarounds and timely remediation of the unpatched heap buffer overflow flaw in bulk_extractor.

prevent

Implements memory safeguards such as non-executable memory and ASLR to prevent RCE exploitation from the heap-based out-of-bounds write in Unpack::CopyString.

detect

Vulnerability scanning detects installations of vulnerable bulk_extractor versions affected by this CVE for risk-based prioritization and response.

References