Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes.
AnalysisAI
Out-of-bounds read in Sleuth Kit through version 4.14.0 allows local attackers to disclose heap memory or crash the application via a malicious APFS disk image with crafted length fields in the keybag parser. The vulnerability requires user interaction to process the malicious image but affects all Sleuth Kit tools that parse APFS volumes, with a public fix available on GitHub.
Technical ContextAI
The Sleuth Kit is a forensic analysis framework that parses filesystem metadata, including APFS (Apple File System) volumes. The vulnerability exists in the wrapped_key_parser class within the APFS keybag parser component, which handles encryption key material. The parser fails to validate attacker-controlled length fields before reading from heap buffers, resulting in an out-of-bounds read condition (CWE-125: Out-of-bounds Read). This allows reading adjacent heap memory beyond the allocated buffer boundaries, potentially exposing sensitive data or causing denial of service through application crashes. The issue affects the generic Sleuth Kit library (CPE: cpe:2.3:a:sleuthkit:sleuthkit) in versions up to and including 4.14.0.
RemediationAI
Vendor-released patch available: apply the fix from commit 8b9c9e7d493bd68624f3b1a3963edd45c3ff7611 (merged via PR #3444) to resolve the out-of-bounds read in the wrapped_key_parser class. Users should update Sleuth Kit to a version incorporating this commit (post-4.14.0 release). Until patching, limit processing of APFS disk images to trusted sources and avoid analyzing potentially malicious or adversarially-crafted APFS volumes. Refer to the vendor advisory at https://mobasi.ai/sentinel and the VulnCheck advisory at https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read for additional context.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20761
GHSA-fhjv-wmq6-3c5h