CVE-2026-40026
Published: 08 April 2026
Summary
CVE-2026-40026 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Sleuthkit The Sleuth Kit. Its CVSS base score is 4.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of software flaws like the out-of-bounds read and infinite loop in Sleuth Kit's ISO9660 parser via patching.
Requires vulnerability scanning and monitoring of sources to identify and prioritize remediation for CVEs such as CVE-2026-40026 in deployed Sleuth Kit instances.
Enforces validation of untrusted inputs like len_id, len_des, and len_src fields from ISO images to prevent buffer overreads in filesystem parsers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The out-of-bounds read and infinite loop in the ISO9660 parser are triggered when a user opens a malicious ISO image with the vulnerable Sleuth Kit software, directly mapping to user execution of a malicious file.
NVD Description
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the…
more
source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.
Deeper analysisAI
The Sleuth Kit through version 4.14.0 is affected by an out-of-bounds read vulnerability (CWE-125) in its ISO9660 filesystem parser. The issue resides in the parse_susp() function, which trusts the len_id, len_des, and len_src fields from a disk image without verifying that the source data falls within the parsed SUSP block before using memcpy to copy data into a stack buffer. This allows reads past the end of the SUSP data buffer. Additionally, a zero-length SUSP entry can trigger an infinite parsing loop.
Exploitation requires local access (AV:L) with low attack complexity (AC:L), no privileges (PR:N), and user interaction (UI:R), such as opening a malicious ISO image with the affected software. Successful exploitation can result in low-impact confidentiality loss (C:L) through potential information disclosure from the out-of-bounds read, or low-impact availability disruption (A:L) via denial of service from the buffer overread or infinite loop, with no integrity impact (I:N) and unchanged scope (S:U). The overall CVSS v3.1 base score is 4.4 (Medium).
Mitigation is addressed in patches referenced in the Sleuth Kit GitHub repository, including commit a95b0ac21733b059a517aaefa667a17e1bcbdee1 and pull request #3445. Additional details are available in advisories from VulnCheck and other sources like mobasi.ai/sentinel. Security practitioners should update to a patched version of Sleuth Kit beyond 4.14.0 when analyzing disk images.
Details
- CWE(s)