Skip to main content

Itk CVE-2026-4739

| EUVDEUVD-2026-14707 CRITICAL
Integer Overflow or Wraparound (CWE-190)
2026-03-24 GovTech CSG GHSA-9vxh-wwmc-c2m7
9.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
P

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 03:30 euvd
EUVD-2026-14707
Analysis Generated
Mar 24, 2026 - 03:30 vuln.today
Patch released
Mar 24, 2026 - 03:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 03:19 nvd
CRITICAL 9.4

DescriptionCVE.org

Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (‎Modules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.

AnalysisAI

Integer overflow in the Expat XML parser module within InsightSoftwareConsortium ITK before version 2.7.1 allows remote attackers to cause denial of service or potentially execute arbitrary code through specially crafted XML input. The vulnerability affects all users of vulnerable ITK versions and requires only network access and user interaction to exploit. A patch is available in ITK 2.7.1 and later.

Technical ContextAI

The vulnerability resides in the Expat XML parser library (version status unspecified in ITK's bundled copy), which is integrated into InsightSoftwareConsortium ITK as a third-party dependency located at Modules/ThirdParty/Expat/src/expat. Expat is a widely-used C library for parsing XML documents. An integer overflow occurs when numeric values used for memory allocation, buffer indexing, or size calculations exceed the maximum representable value for their data type, wrapping around to small or negative values. This wraparound can bypass size checks and lead to heap buffer overflows when the wrapped value is then used in memory operations. The affected product, identified via CPE cpe:2.3:a:insightsoftwareconsortium:itk:*:*:*:*:*:*:*:*, indicates all ITK versions before 2.7.1 are in scope. CWE-190 (Integer Overflow or Wraparound) classifies this root cause, which is a precursor condition that enables buffer overflow attacks when combined with unsafe memory management practices.

RemediationAI

Upgrade InsightSoftwareConsortium ITK to version 2.7.1 or later to obtain the patched Expat library. This is the primary and recommended remediation. For organizations unable to upgrade immediately, implement input validation and sanitization of XML data before processing by ITK, restricting XML complexity (element depth, attribute count) to prevent triggering integer overflow conditions. Additionally, deploy ITK instances with memory protections enabled (ASLR, DEP/NX) and run processes with minimal privileges to limit the impact of potential buffer overflow exploitation. Monitor for unusual memory access patterns or crashes in ITK services. Refer to the vendor patch at https://github.com/InsightSoftwareConsortium/ITK/pull/5351 for detailed integration instructions and test the patch in a non-production environment before deployment.

Share

CVE-2026-4739 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy