{"schema_version":"1.7.2","id":"OESA-2026-1937","modified":"2026-04-17T13:00:56Z","published":"2026-04-17T13:00:56Z","upstream":["CVE-2026-40024","CVE-2026-40025","CVE-2026-40026"],"summary":"sleuthkit security update","details":"The Sleuth Kit (previously known as TASK) is a collection of UNIX-based command line file system forensic tools that allow an investigator to examine NTFS, FAT, FFS, EXT2FS, EXT3FS and ExFAT file systems of a suspect computer in a non-intrusive fashion. The  tools have a layer-based design and can extract data from internal file system structures. Because the tools do not rely on the operating system to process the file systems, deleted and hidden content is shown.\r\n\r\nSecurity Fix(es):\n\nA path traversal vulnerability exists in the tsk_recover tool of The Sleuth Kit through version 4.14.0. An attacker can craft a malicious filesystem image containing filenames or directory paths with path traversal sequences (e.g., /../). When processed by tsk_recover, this can cause files to be written to arbitrary locations outside the intended output directory. This could potentially lead to code execution by overwriting critical files such as shell configuration files or cron entries.(CVE-2026-40024)\n\nThe Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes.(CVE-2026-40025)\n\nThe Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the ISO9660 filesystem parser where the parse_susp() function trusts len_id, len_des, and len_src fields from the disk image to memcpy data into a stack buffer without verifying that the source data falls within the parsed SUSP block. An attacker can craft a malicious ISO image that causes reads past the end of the SUSP data buffer, and a zero-length SUSP entry can trigger an infinite parsing loop.(CVE-2026-40026)","affected":[{"package":{"ecosystem":"openEuler:24.03-LTS-SP1","name":"sleuthkit","purl":"pkg:rpm/openEuler/sleuthkit&distro=openEuler-24.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.12.1-3.oe2403sp1"}]}],"ecosystem_specific":{"aarch64":["sleuthkit-4.12.1-3.oe2403sp1.aarch64.rpm","sleuthkit-debuginfo-4.12.1-3.oe2403sp1.aarch64.rpm","sleuthkit-debugsource-4.12.1-3.oe2403sp1.aarch64.rpm","sleuthkit-devel-4.12.1-3.oe2403sp1.aarch64.rpm","sleuthkit-help-4.12.1-3.oe2403sp1.aarch64.rpm"],"src":["sleuthkit-4.12.1-3.oe2403sp1.src.rpm"],"x86_64":["sleuthkit-4.12.1-3.oe2403sp1.x86_64.rpm","sleuthkit-debuginfo-4.12.1-3.oe2403sp1.x86_64.rpm","sleuthkit-debugsource-4.12.1-3.oe2403sp1.x86_64.rpm","sleuthkit-devel-4.12.1-3.oe2403sp1.x86_64.rpm","sleuthkit-help-4.12.1-3.oe2403sp1.x86_64.rpm"]}}],"references":[{"type":"ADVISORY","url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1937"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40024"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40025"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40026"}],"database_specific":{"severity":"High"}}