CVE-2026-40026

NameCVE-2026-40026
DescriptionThe Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1133075

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sleuthkit (PTS)bullseye4.10.1+dfsg-1vulnerable
bookworm4.11.1+dfsg-1vulnerable
trixie4.12.1+dfsg-3vulnerable
forky, sid4.14.0+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sleuthkitsource(unstable)(unfixed)unimportant1133075

Notes

Crash in CLI tool, no security impact
https://github.com/sleuthkit/sleuthkit/pull/3445
https://github.com/sleuthkit/sleuthkit/commit/a95b0ac21733b059a517aaefa667a17e1bcbdee1
Search for package or bug name: Reporting problems