{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40025", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-08T13:36:42.932Z", "datePublished": "2026-04-08T21:35:21.537Z", "dateUpdated": "2026-04-09T16:16:39.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:21.537Z"}, "title": "Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes."}], "tags": ["x_open-source"], "datePublic": "2026-03-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.14.0", "versionType": "custom"}, {"status": "unaffected", "version": "8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "versionType": "git"}]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW", "version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 4.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L"}}], "references": [{"url": "https://github.com/sleuthkit/sleuthkit/pull/3444", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read"}], "credits": [{"lang": "en", "value": "Mobasi Security Team", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:03:14.878617Z", "id": "CVE-2026-40025", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:16:39.403Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40025", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:03:14.878617Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:03:20.256Z"}}], "cna": {"tags": ["x_open-source"], "title": "Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "credits": [{"lang": "en", "type": "finder", "value": "Mobasi Security Team"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "sleuthkit", "product": "sleuthkit", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.14.0"}, {"status": "unaffected", "version": "8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "versionType": "git"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-01T00:00:00.000Z", "references": [{"url": "https://github.com/sleuthkit/sleuthkit/pull/3444", "name": "Pull Request", "tags": ["product"]}, {"url": "https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611", "name": "Patch Commit", "tags": ["patch"]}, {"url": "https://mobasi.ai/sentinel", "name": "Mobasi Sentinel Vulnerability Index", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read", "name": "VulnCheck Advisory: Sleuth Kit APFS Keybag Parser Out-of-Bounds Read", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-08T21:35:21.537Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40025", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:16:39.403Z", "dateReserved": "2026-04-08T13:36:42.932Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-08T21:35:21.537Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Sleuth Kit through 4.14.0 contains an out-of-bounds read vulnerability in the APFS filesystem keybag parser where the wrapped_key_parser class follows attacker-controlled length fields without bounds checking, causing heap reads past the allocated buffer. An attacker can craft a malicious APFS disk image that triggers information disclosure or crashes when processed by any Sleuth Kit tool that parses APFS volumes."}], "id": "CVE-2026-40025", "lastModified": "2026-04-08T22:16:22.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.5, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-08T22:16:22.603", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/sleuthkit/sleuthkit/commit/8b9c9e7d493bd68624f3b1a3963edd45c3ff7611"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/sleuthkit/sleuthkit/pull/3444"}, {"source": "disclosure@vulncheck.com", "url": "https://mobasi.ai/sentinel"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/sleuth-kit-apfs-keybag-parser-out-of-bounds-read"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.0]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "8b9c9e7d493bd68624f3b1a3963edd45c3ff7611"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "sleuthkit", "source": "cna", "vendor": "sleuthkit"}, "product": "the_sleuth_kit", "vendor": "sleuthkit"}], "analysis": {"en": {"generated_at": "2026-04-08T22:53:41.814125+00:00", "value": {"mitigation_remediation": ["Upgrade to Sleuth Kit 4.14.1 or later to receive the official fix for the out\u2011of\u2011bounds read", "If an upgrade is not immediately possible, apply the patch included in the GitHub commit 8b9c9e7d493bd68624f3b1a3963edd45c3ff7611 and merged in pull request 3444 to restrict parsing based on the validated length fields"], "summary": {"action": "Patch Now", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Sleuth Kit, as distributed by sleuthkit:sleuthkit, is impacted by this issue. All components of the suite that parse APFS filesystem volumes are affected. The vulnerability applies to releases through version 4.14.0; newer releases include the fix.", "description_and_impact": "The vulnerability involves an out\u2011of\u2011bounds read in the APFS keybag parser within Sleuth Kit versions up to 4.14.0. The parser uses attacker\u2011controlled length fields without bounds checking, allowing it to read beyond the allocated buffer on the heap. This flaw can leak data that resides after the buffer or cause a tool crash, both of which represent a loss of confidentiality and potential denial of service.", "risk_and_exploitability": "With a CVSS score of 4.8, the severity is moderate, while the lack of an EPSS score and absence from the CISA KEV catalog suggest limited widespread exploitation. The attacker would need to supply a malicious APFS disk image to a forensic analyst or automated pipeline that processes APFS volumes. Successful exploitation can lead to disclosure of sensitive material or a denial of service through a crash, and the risk is mitigated by applying the post\u20114.14.0 fix."}}}}, "created": "2026-04-09T08:16:31.681951+00:00", "updated": "2026-04-09T08:25:57.506974+00:00", "vendors": ["sleuthkit", "sleuthkit$PRODUCT$the_sleuth_kit"]}