Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.
AnalysisAI
Out-of-bounds read in The Sleuth Kit through 4.14.0 allows local attackers with user interaction to disclose sensitive information via a crafted ISO9660 image, exploiting the parse_susp() function's failure to validate field lengths before copying SUSP extension data into stack buffers. The vulnerability can also trigger infinite parsing loops with malformed zero-length SUSP entries. Patch available from upstream repository.
Technical ContextAI
The Sleuth Kit is a digital forensics framework that parses various filesystem formats including ISO9660 with SUSP (System Use Sharing Protocol) extensions. The parse_susp() function in the ISO9660 parser reads len_id, len_des, and len_src fields directly from untrusted disk image data and uses them as sizes for memcpy operations into a fixed stack buffer without validating that these fields correctly describe data present within the SUSP block boundaries. This violates CWE-125 (Out-of-bounds Read) by trusting attacker-controlled length values from the disk image. Additionally, zero-length SUSP entries can cause infinite loops due to improper loop termination logic, creating a denial-of-service condition.
RemediationAI
Apply the upstream patch from commit a95b0ac21733b059a517aaefa667a17e1bcbdee1 (https://github.com/sleuthkit/sleuthkit/commit/a95b0ac21733b059a517aaefa667a17e1bcbdee1) or pull request #3445 (https://github.com/sleuthkit/sleuthkit/pull/3445). Update to a patched version released after these commits are merged. As an interim mitigation, avoid parsing ISO9660 images from untrusted sources or use alternative forensic tools that validate SUSP extension fields. Refer to the vendor advisory at https://mobasi.ai/sentinel for release version information.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20763
GHSA-3pvc-h22x-rq5v