CVE-2026-24872
Published: 27 January 2026
Summary
CVE-2026-24872 is a critical-severity Incorrect Pointer Scaling (CWE-468) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-24872 is an improper pointer arithmetic vulnerability, classified under CWE-468, in ProjectSkyfire's SkyFire_548 software. This issue affects SkyFire_548 versions prior to 5.4.8-stable5. The vulnerability was published on 2026-01-27.
The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates critical severity, exploitable remotely over the network with low attack complexity. No privileges, user interaction, or special conditions are required. Unauthenticated attackers can achieve high impacts on confidentiality, integrity, and availability, potentially resulting in complete system compromise.
A patch addressing the vulnerability is available in the GitHub pull request at https://github.com/cadaver/turso3d/pull/11.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4818
Vulnerability details
improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548.This issue affects SkyFire_548: before 5.4.8-stable5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploit (AV:N/PR:N/UI:N) in publicly reachable software enabling arbitrary code execution and full system compromise directly maps to exploitation of public-facing applications.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of known software flaws like this improper pointer arithmetic vulnerability through patching, as a patch is available.
Provides memory protection mechanisms such as address space randomization and stack guards that prevent exploitation of pointer arithmetic errors leading to remote code execution.
Requires vulnerability scanning and monitoring to identify systems running vulnerable versions of SkyFire_548 affected by this CVE.