CVE-2026-24874

Critical

Published: 27 January 2026

Published

27 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0005 14.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24874 is a critical-severity Type Confusion (CWE-843) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of the type confusion flaw in xray-monolith versions prior to 2025.12.30 via patching or upgrading to 2025.12.30 or later.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms that mitigate exploitation of the type confusion vulnerability by preventing unauthorized memory access and data modification.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability scanning detects systems running vulnerable versions of xray-monolith affected by CVE-2026-24874, enabling targeted remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote unauthenticated type confusion (CWE-843) in a network-exposed service directly enables exploitation of a public-facing application for high-impact confidentiality/integrity compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.

Deeper analysisAI

CVE-2026-24874 is an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability, classified under CWE-843, affecting the xray-monolith project maintained by themrdemonized. This issue impacts versions of xray-monolith prior to 2025.12.30. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting its critical severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation allows attackers to achieve high confidentiality and integrity impacts, potentially enabling unauthorized data access or modification, while availability remains unaffected.

Mitigation is addressed in a GitHub pull request at https://github.com/themrdemonized/xray-monolith/pull/399, with upgrading to xray-monolith version 2025.12.30 or later recommended to resolve the issue.

Details

CWE(s): CWE-843

CVEs Like This One

CVE-2025-47151Shared CWE-843

CVE-2025-70023Shared CWE-843

CVE-2025-65570Shared CWE-843

CVE-2026-25537Shared CWE-843

CVE-2025-53144Shared CWE-843

CVE-2026-40683Shared CWE-843

CVE-2026-21854Shared CWE-843

CVE-2026-5865Shared CWE-843

CVE-2026-4702Shared CWE-843

CVE-2025-21342Shared CWE-843

References

https://github.com/themrdemonized/xray-monolith/pull/399
cve_disclosure@tech.gov.sg