CVE-2026-24857
Published: 28 January 2026
Summary
CVE-2026-24857 is a medium-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Simsong Bulk Extractor. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-24857 is a heap buffer overflow vulnerability in the embedded unrar code of bulk_extractor, a digital forensics tool used for data extraction. The issue affects versions starting from 1.4 and occurs in the RAR PPM LZ decoding path, specifically within the Unpack::CopyString function. Processing a crafted RAR archive embedded in a disk image triggers an out-of-bounds write, resulting in a crash when detected by AddressSanitizer (ASAN) and likely causing crashes or memory corruption in production builds. The vulnerability is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write), earning a CVSS v3.1 base score of 9.8.
The vulnerability can be exploited remotely by any unauthenticated attacker with network access, requiring low complexity and no user interaction or privileges. An attacker crafts a malicious RAR file within a disk image and induces a target system running bulk_extractor to process it, leading to memory corruption. While immediate effects include application crashes, the flaw has potential for remote code execution (RCE) due to the nature of the heap overflow.
The primary advisory, published on GitHub at https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q, confirms no patches are available as of the CVE publication date. Security practitioners should avoid processing untrusted disk images with affected bulk_extractor versions until a fix is released, opting for isolated environments or alternative tools for forensic analysis in the interim.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4855
Vulnerability details
`bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`’s embedded unrar code has a heap‑buffer‑overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out‑of‑bounds write in `Unpack::CopyString`, leading to…
more
a crash under ASAN (and likely a crash or memory corruption in production builds). There's potential for using this for RCE. As of time of publication, no known patches are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in bulk_extractor RAR parser enables remote unauthenticated RCE via crafted disk image input (no user interaction), directly supporting server-side exploitation of public-facing analysis services (T1190) or client-side exploitation when victims process attacker-supplied images (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates monitoring for patches or workarounds and timely remediation of the unpatched heap buffer overflow flaw in bulk_extractor.
Implements memory safeguards such as non-executable memory and ASLR to prevent RCE exploitation from the heap-based out-of-bounds write in Unpack::CopyString.
Vulnerability scanning detects installations of vulnerable bulk_extractor versions affected by this CVE for risk-based prioritization and response.