CVE-2026-24797 – This CVE describes an out-of-bounds write vulne... (How to Fix)

Q: What is the severity of CVE-2026-24797?

CVE-2026-24797 has a CVSS score of N/A (Unknown). This CVE describes an out-of-bounds write vulnerability in the libjpeg-turbo library used by cupoch's tjbench utility. Attackers could exploit this to execute arbitrary code or cause denial of service by manipulating JPEG image processing. Users of cupoch software that includes the vulnerable libjpeg-turbo module are affected.

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in the libjpeg-turbo library used by cupoch's tjbench utility. Attackers could exploit this to execute arbitrary code or cause denial of service by manipulating JPEG image processing. Users of cupoch software that includes the vulnerable libjpeg-turbo module are affected.

💻 Affected Systems

Products:

cupoch (neka-nat/cupoch)

Versions: Versions using vulnerable libjpeg-turbo module prior to fix in pull request #138

Operating Systems: All platforms running cupoch

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the tjbench utility within cupoch that uses libjpeg-turbo for JPEG processing.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash causing denial of service, potentially with memory corruption that could be leveraged for further exploitation.

🟢

If Mitigated

Contained application crash without privilege escalation if proper sandboxing and memory protections are enabled.

🌐 Internet-Facing: MEDIUM - Exploitation requires processing malicious JPEG files, which could occur through file uploads or external data processing.

🏢 Internal Only: LOW - Typically requires local access or specific file processing workflows to trigger.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious JPEG files that trigger the out-of-bounds write condition during processing.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version incorporating pull request #138

Vendor Advisory: https://github.com/neka-nat/cupoch/pull/138

Restart Required: Yes

Instructions:

1. Update cupoch to latest version. 2. Ensure libjpeg-turbo dependency is updated. 3. Restart any services using cupoch.

🔧 Temporary Workarounds

Disable tjbench utility

all

Remove or disable the vulnerable tjbench component if not required

sudo rm /path/to/tjbench
chmod -x /path/to/tjbench

Restrict file processing

all

Limit JPEG file processing to trusted sources only

🧯 If You Can't Patch

Implement strict input validation for JPEG files before processing
Run cupoch in sandboxed/containerized environment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check if tjbench exists and cupoch version predates pull request #138 integration

Check Version:

cupoch --version or check package manager for cupoch version

Verify Fix Applied:

Verify cupoch version includes the fix from pull request #138 and tjbench no longer crashes with test JPEGs

📡 Detection & Monitoring

Log Indicators:

Application crashes in tjbench
Memory access violation errors
Unexpected process termination during JPEG processing

Network Indicators:

Unusual file uploads to systems using cupoch
Suspicious JPEG file transfers

SIEM Query:

process_name:tjbench AND (event_type:crash OR exit_code:139)

📊 Metadata

CVE ID: CVE-2026-24797

CVSS v3 Score: N/A (Unknown)

CWE: CWE-787

EPSS Score: 0.06% exploit probability (17.2th percentile)

Published: January 27, 2026

Last Updated: January 27, 2026

🔗 References

https://github.com/neka-nat/cupoch/pull/138

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24797, you might also want to check these: