CVE-2026-24857 – A heap buffer overflow vulnerability in bulk

Q: What is the severity of CVE-2026-24857?

CVE-2026-24857 has a CVSS score of 9.8 (CRITICAL). A heap buffer overflow vulnerability in bulk_extractor's embedded unrar code allows attackers to trigger out-of-bounds writes when processing crafted RAR files. This can lead to crashes, memory corruption, or potentially remote code execution. Anyone using bulk_extractor version 1.4 or later for digital forensics analysis is affected.

📋 TL;DR

A heap buffer overflow vulnerability in bulk_extractor's embedded unrar code allows attackers to trigger out-of-bounds writes when processing crafted RAR files. This can lead to crashes, memory corruption, or potentially remote code execution. Anyone using bulk_extractor version 1.4 or later for digital forensics analysis is affected.

💻 Affected Systems

Products:

bulk_extractor

Versions: Version 1.4 and later

Operating Systems: Linux, Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is triggered when bulk_extractor processes RAR files within disk images during forensic analysis.

📦 What is this software?

Bulk Extractor by Simsong

View all CVEs affecting Bulk Extractor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or lateral movement within the environment.

🟠

Likely Case

Application crashes and denial of service during forensic analysis, potentially corrupting evidence or disrupting investigations.

🟢

If Mitigated

Limited impact with proper sandboxing and input validation, though crashes may still occur.

🌐 Internet-Facing: LOW - bulk_extractor is typically used offline for forensic analysis, not as an internet-facing service.

🏢 Internal Only: MEDIUM - Attackers could craft malicious RAR files and trick analysts into processing them, potentially compromising forensic workstations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious RAR file and getting it processed by bulk_extractor. No public proof-of-concept is available at time of advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q

Restart Required: No

Instructions:

No official patch available. Monitor the GitHub advisory for updates and patch when available.

🔧 Temporary Workarounds

Disable RAR processing

all

Configure bulk_extractor to skip RAR file processing entirely

bulk_extractor -x rar image.dd

Use external unrar tool

all

Extract RAR files manually using a separate, patched unrar tool before processing with bulk_extractor

unrar x suspicious.rar
bulk_extractor extracted_files/

🧯 If You Can't Patch

Isolate forensic workstations from production networks and implement strict access controls
Implement application sandboxing or containerization to limit potential damage from exploitation

🔍 How to Verify

Check if Vulnerable:

Check bulk_extractor version: bulk_extractor -V. If version is 1.4 or higher, the system is vulnerable.

Check Version:

bulk_extractor -V

Verify Fix Applied:

When patch becomes available, verify by checking version number and testing with known safe RAR files.

📡 Detection & Monitoring

Log Indicators:

bulk_extractor crash logs
segmentation fault errors
ASAN (AddressSanitizer) error reports

Network Indicators:

Unusual network connections from forensic workstations

SIEM Query:

process_name:"bulk_extractor" AND (event_type:"crash" OR error_message:"segmentation fault")

📊 Metadata

CVE ID: CVE-2026-24857

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: January 28, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q Exploit,Vendor Advisory
https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24857, you might also want to check these: