CRITICAL🇵🇱 Wersja polska

CVE-2026-4746

CVSS 10.0v4.0pub. 2026-03-24

Out-of-bounds Write vulnerability in timeplus-io proton (base/poco/Foundation/src‎ modules). This vulnerability is associated with program files inflate.C. This issue affects proton: before 1.6.16.

🤖 AI Analysis
How it works

The vulnerability consists of writing data beyond the boundaries of allocated buffer memory in the inflate.C file, belonging to the Foundation module of the Poco library embedded in the proton project. A remote attacker, without authentication and without user interaction, can supply crafted input data that triggers improper memory write. Such out-of-bounds write errors can be exploited to overwrite critical data structures or execute arbitrary code.

Impact

An attacker can gain full control over the vulnerable system, including executing arbitrary code (RCE) and compromising the confidentiality, integrity, and availability of both the application itself and related systems.

Mitigation & patch

Update timeplus-io proton to version 1.6.16 or later. Patch details are available in the vendor's pull request: https://github.com/timeplus-io/proton/pull/943

Who is affected

timeplus-io proton versions earlier than 1.6.16

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Memory
CWE
References