Sleuth Kit 4.14.0 ISO9660 Parser Flaw Allows Out-of-Bounds Reads, Infinite Loop via Malicious Image

A critical vulnerability has been identified in the Sleuth Kit, a widely deployed open-source library used for digital forensics and disk image analysis. Tracked as CVE-2026-40026, the flaw exists in the ISO9660 filesystem parser's parse_susp() function through version 4.14.0. The vulnerability stems from the function's blind trust of len_id, len_des, and len_src length fields extracted directly from disk image data. Rather than verifying that these values correspond to data boundaries within the parsed SUSP block, the function proceeds to memcpy stack buffer contents using the untrusted lengths—enabling out-of-bounds read operations that could expose sensitive memory regions.

The security implications extend beyond unauthorized memory access. Security researchers analyzing the flaw discovered that a zero-length SUSP entry can trigger an infinite parsing loop, effectively causing denial-of-service conditions in any application or system relying on the affected library to process ISO9660 images. This combination of memory exposure risk and resource exhaustion makes the vulnerability particularly dangerous for forensic tools, endpoint detection systems, and automated analysis pipelines that routinely ingest disk images from untrusted sources. The flaw targets a low-level parsing component, meaning exploitation requires only a specially crafted ISO image file.

The vulnerability was identified through automated analysis of library metadata linked to the National Vulnerability Database. While the Sleuth Kit is a standalone project, it serves as a core dependency for numerous forensic and security platforms. The disclosure notes that osquery, a popular endpoint security agent, may or may not be affected depending on how it integrates the library. Organizations deploying Sleuth Kit in production forensic workflows should evaluate their exposure and consider patching to a hardened version once available, while implementing input validation layers for ISO image processing as a interim measure.