Cyber Resilience

CVE-2026-24874

Critical

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0026 17.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24874 is a critical-severity Type Confusion (CWE-843) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-24874 is an Access of Resource Using Incompatible Type ('Type Confusion') vulnerability, classified under CWE-843, affecting the xray-monolith project maintained by themrdemonized. This issue impacts versions of xray-monolith prior to 2025.12.30. The vulnerability has a CVSS v3.1 base score of 9.1, reflecting its critical severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation allows attackers to achieve high confidentiality and integrity impacts, potentially enabling unauthorized data access or modification, while availability remains unaffected.

Mitigation is addressed in a GitHub pull request at https://github.com/themrdemonized/xray-monolith/pull/399, with upgrading to xray-monolith version 2025.12.30 or later recommended to resolve the issue.

EU & UK References

Vulnerability details

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in themrdemonized xray-monolith.This issue affects xray-monolith: before 2025.12.30.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated type confusion (CWE-843) in a network-exposed service directly enables exploitation of a public-facing application for high-impact confidentiality/integrity compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-47151Shared CWE-843
CVE-2024-11344Shared CWE-843
CVE-2025-70023Shared CWE-843
CVE-2025-65570Shared CWE-843
CVE-2024-11346Shared CWE-843
CVE-2026-9334Shared CWE-843
CVE-2026-43037Shared CWE-843
CVE-2026-40683Shared CWE-843
CVE-2025-53144Shared CWE-843
CVE-2026-25537Shared CWE-843

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the type confusion flaw in xray-monolith versions prior to 2025.12.30 via patching or upgrading to 2025.12.30 or later.

prevent

Implements memory protection mechanisms that mitigate exploitation of the type confusion vulnerability by preventing unauthorized memory access and data modification.

detect

Vulnerability scanning detects systems running vulnerable versions of xray-monolith affected by CVE-2026-24874, enabling targeted remediation.

References