CVE-2026-40026 MEDIUM

CVE-2026-40026: Sleuth Kit ISO9660 SUSP Extension Reference Out-of-Bounds Read

Vendor Sleuthkit
Product sleuthkit
Weakness CWE-125
Published April 8, 2026
Last update April 9, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 9, 2026 Record updated