Cyber Resilience

CVE-2026-4750

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0040 32.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4750 is a critical-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4750 is an out-of-bounds read vulnerability (CWE-125) in the woof software maintained by fabiangreffrath. This issue affects woof versions prior to 15.3.0. Published on 2026-03-24, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), marking it as critical due to its potential for remote exploitation with high impacts on confidentiality and availability.

Remote attackers can exploit this vulnerability over the network without requiring user privileges or interaction, using low-complexity techniques. Successful exploitation enables disclosure of sensitive information (high confidentiality impact) and disruption of service (high availability impact), such as denial of service, while integrity remains unaffected in an unchanged security scope.

A pull request addressing the vulnerability is available at https://github.com/fabiangreffrath/woof/pull/2521, which security practitioners should review for patch details and apply updates to woof 15.3.0 or later to mitigate the issue.

EU & UK References

Vulnerability details

Out-of-bounds Read vulnerability in fabiangreffrath woof.This issue affects woof: before woof_15.3.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated network exploitation of a public-facing application (game server) directly matches T1190; OOB read enables application crash/DoS matching T1499.004.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40890Shared CWE-125
CVE-2026-26264Shared CWE-125
CVE-2026-21863Shared CWE-125
CVE-2026-33598Shared CWE-125
CVE-2026-32877Shared CWE-125
CVE-2026-3622Shared CWE-125
CVE-2026-41503Shared CWE-125
CVE-2026-26008Shared CWE-125
CVE-2026-28815Shared CWE-125
CVE-2025-69808Shared CWE-125

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of flaws like the out-of-bounds read in woof prior to version 15.3.0, directly preventing remote exploitation.

detect

Vulnerability scanning detects systems running vulnerable woof versions affected by CVE-2026-4750, enabling remediation.

prevent

Implements memory protections such as ASLR and DEP that mitigate impacts of out-of-bounds reads by complicating information disclosure and exploitation.

References