Merge pull request #48 from MeghaMoncy/master

MeghaMoncy · web-flow · commit d7d430e9cc89 · 2026-02-05T14:18:40.000-05:00
Updating to add OSG-SEC-2026-01-27.md
diff --git a/docs/OSGSecurityAnnouncements.md b/docs/OSGSecurityAnnouncements.md
@@ -1,5 +1,6 @@
 | Date        | Title                                                 | Contents/Link       |   Risk        |
 |-------------|-------------------------------------------------------|---------------------|---------------|
+| 2026-01-27  | CRITICAL ROOT Framework Remote Code Execution Vulnerability (CVE-2026-24811, CVE-2026-24812) | [OSG-SEC-2026-01-27](./vulns/OSG-SEC-2026-01-27.md) |     |
 | 2025-12-04  | CRITICAL React Server Components Vulnerability (CVE-2025-55182) | [OSG-SEC-2025-12-04](./vulns/OSG-SEC-2025-12-04.md) |     |
 | 2025-09-11  | linux-kernel: CRITICAL risk vulnerability allowing local privilege escalation,CVE-2025-38352 | [OSG-SEC-2025-09-11](./vulns/OSG-SEC-2025-09-11.md) |     |
 | 2025-09-04  | linux-pam: Incomplete fix for CVE-2025-6020 (CVE-2025-8941) | [OSG-SEC-2025-09-04](./vulns/OSG-SEC-2025-09-04.md) |     |
diff --git a/docs/vulns/OSG-SEC-2026-01-27.md b/docs/vulns/OSG-SEC-2026-01-27.md
@@ -0,0 +1,27 @@
+# OSG-SEC-2026-01-27 CRITICAL ROOT Framework Remote Code Execution Vulnerability (CVE-2026-24811, CVE-2026-24812)
+
+Dear OSG Security Contacts,
+
+Two critical vulnerabilities, CVE-2026-24811 and CVE-2026-24812, have been identified in the ROOT framework, specifically within its bundled (builtins) version of the zlib library. ROOT is an open-source data analysis framework developed at CERN. It is the foundational software for high-energy physics.
+
+## IMPACTED VERSIONS:
+All versions up to and including 6.36.00-rc1
+
+## WHAT ARE THE VULNERABILITIES:
+The flaws reside in inffast.c (pointer arithmetic error) and inftrees.c (buffer overflow). Because these handle the decompression of data, an attacker can exploit them by providing a maliciously crafted .root file or compressed data packet. The initial compromise grants the privileges of the service user. This is not a vulnerability that allows privilege escalation.
+
+## WHAT YOU SHOULD DO:
+
+Upgrade to Version 6.36.00 (Stable) and higher.
+
+## REFERENCES 
+[1] https://nvd.nist.gov/vuln/detail/CVE-2026-24811 
+[2] https://nvd.nist.gov/vuln/detail/CVE-2026-24812 
+[3] https://github.com/root-project/root/pull/18526 
+[4] https://github.com/root-project/root/pull/18527 
+[5] https://github.com/advisories/GHSA-fm67-x2fw-2g76 
+
+
+Please contact the OSG security team at security@osg-htc.org if you have any questions or concerns.
+
+OSG Security Team
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -12,6 +12,7 @@ nav:
   - Overview: 'OSGSecurityAnnouncements.md'
   - Overview x86 vulnerabilities: 'OSGSecurityAnnouncements-x86.md'
 - Announcement Details:
+    - OSG-SEC-2026-01-27 CRITICAL ROOT Framework Remote Code Execution Vulnerability (CVE-2026-24811, CVE-2026-24812): './vulns/OSG-SEC-2026-01-27.md'
     - OSG-SEC-2025-12-04 CRITICAL React Server Components Vulnerability (CVE-2025-55182): './vulns/OSG-SEC-2025-12-04.md'
     - OSG-SEC-2025-09-11 linux-kernel- CRITICAL risk vulnerability allowing local privilege escalation,CVE-2025-38352: './vulns/OSG-SEC-2025-09-11.md'
     - OSG-SEC-2025-09-04 Linux pam Incomplete fix for CVE-2025-6020 (CVE-2025-8941): './vulns/OSG-SEC-2025-09-04.md'
