Cyber Resilience

CVE-2026-24872

Critical

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24872 is a critical-severity Incorrect Pointer Scaling (CWE-468) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-24872 is an improper pointer arithmetic vulnerability, classified under CWE-468, in ProjectSkyfire's SkyFire_548 software. This issue affects SkyFire_548 versions prior to 5.4.8-stable5. The vulnerability was published on 2026-01-27.

The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates critical severity, exploitable remotely over the network with low attack complexity. No privileges, user interaction, or special conditions are required. Unauthenticated attackers can achieve high impacts on confidentiality, integrity, and availability, potentially resulting in complete system compromise.

A patch addressing the vulnerability is available in the GitHub pull request at https://github.com/cadaver/turso3d/pull/11.

EU & UK References

Vulnerability details

improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548.This issue affects SkyFire_548: before 5.4.8-stable5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploit (AV:N/PR:N/UI:N) in publicly reachable software enabling arbitrary code execution and full system compromise directly maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly mandates timely remediation of known software flaws like this improper pointer arithmetic vulnerability through patching, as a patch is available.

prevent

Provides memory protection mechanisms such as address space randomization and stack guards that prevent exploitation of pointer arithmetic errors leading to remote code execution.

detect

Requires vulnerability scanning and monitoring to identify systems running vulnerable versions of SkyFire_548 affected by this CVE.

References