CVE-2026-41445
Published: 20 April 2026
Summary
CVE-2026-41445 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely flaw remediation, directly addressing the integer overflow by updating KissFFT to the fixed commit 8a8e66e or later.
SI-16 enforces memory protection mechanisms like ASLR and DEP that mitigate heap buffer overflow exploitation even if the allocation undersizing occurs.
SI-10 mandates input validation on dimensions passed to kiss_fftndr_alloc(), preventing crafted values that trigger the integer overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow leading to heap buffer overflow in KissFFT library, exploitable remotely via crafted malicious input file requiring user interaction (e.g., processing in an embedding application), directly enabling client-side code execution.
NVD Description
KissFFT before commit 8a8e66e contains an integer overflow vulnerability in the kiss_fftndr_alloc() function in kiss_fftndr.c where the allocation size calculation dimOther*(dimReal+2)*sizeof(kiss_fft_scalar) overflows signed 32-bit integer arithmetic before being widened to size_t, causing malloc() to allocate an undersized buffer. Attackers can…
more
trigger heap buffer overflow by providing crafted dimensions that cause the multiplication to exceed INT_MAX, allowing writes beyond the allocated buffer region when kiss_fftndr() processes the data.
Deeper analysisAI
KissFFT versions prior to commit 8a8e66e contain an integer overflow vulnerability in the kiss_fftndr_alloc() function within kiss_fftndr.c. The allocation size calculation, dimOther*(dimReal+2)*sizeof(kiss_fft_scalar), performs signed 32-bit integer arithmetic that overflows before widening to size_t, resulting in malloc() allocating an undersized buffer. This leads to a heap buffer overflow when kiss_fftndr() processes data with crafted dimensions that cause the multiplication to exceed INT_MAX.
Attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required, though user interaction is necessary, such as processing a malicious input file. Successful exploitation triggers a heap buffer overflow, enabling high-impact confidentiality, integrity, and availability violations (CVSS 8.8; AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), potentially allowing arbitrary code execution or denial of service in applications embedding vulnerable KissFFT code (CWE-122, CWE-190).
The fixing commit, 8a8e66e33d692bad1376fe7904d87d767730537f on the KissFFT GitHub repository, addresses the issue by correcting the allocation size computation. Security practitioners should update to this commit or later and audit dependent applications for vulnerable KissFFT integrations, as detailed in the VulnCheck advisory.
Details
- CWE(s)