Skip to main content

Proton CVE-2026-4746

| EUVDEUVD-2026-14745 CRITICAL
Out-of-bounds Write (CWE-787)
2026-03-24 GovTech CSG GHSA-ch4h-8w5c-3g8g
10.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:N/AU:Y/R:U/V:C/RE:L/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 04:30 euvd
EUVD-2026-14745
Analysis Generated
Mar 24, 2026 - 04:30 vuln.today
Patch released
Mar 24, 2026 - 04:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 03:28 nvd
CRITICAL 10.0

DescriptionCVE.org

Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src‎ modules). This vulnerability is associated with program files inflate.C.

This issue affects proton: before 1.6.16.

AnalysisAI

Out-of-bounds write vulnerability in Proton versions before 1.6.16 allows remote attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. The vulnerability resides in the inflate.C module within the base/poco/Foundation components and can be exploited over the network without authentication or user interaction. A patch is available to remediate this critical flaw.

Technical ContextAI

The vulnerability resides in the POCO Foundation library's compression handling code, specifically the inflate.C module which implements decompression logic (likely related to zlib inflation). Out-of-bounds write vulnerabilities (CWE-787) occur when a program writes data to memory locations outside the bounds of allocated buffers, often during parsing or decompression of untrusted input. In compression libraries, such flaws typically arise from improper bounds checking during stream decompression when processing crafted or malicious compressed payloads. The affected product is timeplus-io proton (CPE: cpe:2.3:a:timeplus-io:proton:*:*:*:*:*:*:*:*), which incorporates the vulnerable POCO library code for handling compressed data streams.

RemediationAI

Upgrade timeplus-io proton to version 1.6.16 or later immediately. Apply the patch available from the vendor at https://github.com/timeplus-io/proton/pull/943. Organizations unable to patch immediately should implement network segmentation to restrict which systems can submit compressed data to proton instances, disable decompression features if not required, and apply strict input validation and monitoring for abnormal memory behavior or crashes. Validate all deployments against the updated version prior to production rollout.

More in Proton

View all

Share

CVE-2026-4746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy