CVE-2026-40025

NameCVE-2026-40025
DescriptionThe Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133074

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sleuthkit (PTS)bullseye4.10.1+dfsg-1vulnerable
bookworm4.11.1+dfsg-1vulnerable
trixie4.12.1+dfsg-3vulnerable
forky, sid4.14.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sleuthkitsource(unstable)(unfixed)unimportant1133074

Notes

Crash in CLI tool, no security impact
https://github.com/sleuthkit/sleuthkit/pull/3444
https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611
Search for package or bug name: Reporting problems