CVE-2026-4739 - Vulnerability Details - OpenCVE

Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (‎Modules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Insightsoftwareconsortium	Itk

No data.

No data.

References

Link	Providers
https://github.com/InsightSoftwareConsortium/ITK/pull/5351

History

Tue, 24 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 24 Mar 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Insightsoftwareconsortium Insightsoftwareconsortium itk
Vendors & Products		Insightsoftwareconsortium Insightsoftwareconsortium itk

Tue, 24 Mar 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (‎Modules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.
Title		Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK
Weaknesses		CWE-190
References		https://github.com/InsightSoftwareConsortium/ITK/pull/5351
Metrics		cvssV4_0 `{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:M/U:Amber'}`

MITRE

Status: PUBLISHED

Assigner: GovTech CSG

Published: 2026-03-24T03:19:28.818Z

Updated: 2026-03-24T14:34:50.925Z

Reserved: 2026-03-24T03:19:16.665Z

Link: CVE-2026-4739

Vulnrichment

Updated: 2026-03-24T14:34:48.037Z

NVD

Status : Awaiting Analysis

Published: 2026-03-24T04:17:29.193

Modified: 2026-03-24T15:53:48.067

Link: CVE-2026-4739

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4739", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-03-24T03:19:16.665Z", "datePublished": "2026-03-24T03:19:28.818Z", "dateUpdated": "2026-03-24T14:34:50.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:19:28.818Z"}, "title": "Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "type": "CWE"}]}], "affected": [{"vendor": "InsightSoftwareConsortium", "product": "ITK", "collectionURL": "https://github.com/InsightSoftwareConsortium/ITK", "modules": ["\u200eModules/ThirdParty/Expat/src/expat"], "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.1", "versionType": "git"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).<p>This issue affects ITK: before 2.7.1.</p>"}]}], "references": [{"url": "https://github.com/InsightSoftwareConsortium/ITK/pull/5351", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "ATTACKED", "Safety": "PRESENT", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "MODERATE", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:M/U:Amber"}}], "credits": [{"lang": "en", "value": "TITAN Team (titancaproject@gmail.com)", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:34:37.467295Z", "id": "CVE-2026-4739", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:34:50.925Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4739", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:34:37.467295Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:34:48.037Z"}}], "cna": {"title": "Integer overflow vulnerabilities in InsightSoftwareConsortium/ITK", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "PRESENT", "version": "4.0", "Recovery": "USER", "baseScore": 9.4, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/S:P/AU:Y/R:U/V:C/RE:M/U:Amber", "exploitMaturity": "ATTACKED", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "InsightSoftwareConsortium", "modules": ["\u200eModules/ThirdParty/Expat/src/expat"], "product": "ITK", "versions": [{"status": "affected", "version": "0", "lessThan": "2.7.1", "versionType": "git"}], "collectionURL": "https://github.com/InsightSoftwareConsortium/ITK", "defaultStatus": "affected"}], "references": [{"url": "https://github.com/InsightSoftwareConsortium/ITK/pull/5351", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1.", "supportingMedia": [{"type": "text/html", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).<p>This issue affects ITK: before 2.7.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-03-24T03:19:28.818Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4739", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:34:50.925Z", "dateReserved": "2026-03-24T03:19:16.665Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-03-24T03:19:28.818Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in InsightSoftwareConsortium ITK (\u200eModules/ThirdParty/Expat/src/expat modules).This issue affects ITK: before 2.7.1."}, {"lang": "es", "value": "Vulnerabilidad de desbordamiento de entero o ajuste circular en InsightSoftwareConsortium ITK (m\u00f3dulos ?Modules/ThirdParty/Expat/src/expat). Este problema afecta a ITK: antes de 2.7.1."}], "id": "CVE-2026-4739", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "PRESENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "ATTACKED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "PASSIVE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-03-24T04:17:29.193", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/InsightSoftwareConsortium/ITK/pull/5351"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}