DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24823: Return of the Living Dead: How X-TRACK Resurrected a Critical zlib Bug

#security #cve #cybersecurity

Return of the Living Dead: How X-TRACK Resurrected a Critical zlib Bug

Vulnerability ID: CVE-2026-24823
CVSS Score: 10.0
Published: 2026-01-27

A critical heap buffer overflow in FASTSHIFT X-TRACK firmware caused by an unpatched fork of the zlib library. This vulnerability allows remote code execution via malformed GZIP headers, specifically through the 'extra field' handling logic.

TL;DR

FASTSHIFT's GPS bike computers are running a zombie version of zlib. They copied code vulnerable to CVE-2022-37434 (a 4-year-old bug), didn't patch it, and now have a CVSS 10.0 RCE on their hands. To make matters worse, the fix introduces a potential crash loop.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-24823
  • CVSS v4.0: 10.0 (Critical)
  • CWE: CWE-787 (OOB Write)
  • Attack Vector: Network (Remote)
  • Affected Component: inflate.c (PNGdec module)
  • Root Cause: Unchecked pointer offset in zmemcpy

Affected Systems

  • FASTSHIFT X-TRACK Firmware <= 2.7
  • FASTSHIFT X-TRACK: <= 2.7 (Fixed in: 2.8)

Code Analysis

Commit: 7290135

Fix buffer overflow in inflate.c (Partial regression introduced)

--- a/inflate.c
+++ b/inflate.c
+                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        len < state->head->extra_max) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Original discussion and PoC for the upstream zlib vulnerability (CVE-2022-37434)

Mitigation Strategies

  • Immediate Firmware Update: Flash the device to version 2.8 or later immediately.
  • Network Isolation: Do not connect the device to untrusted public Wi-Fi networks until patched.
  • File Hygiene: Avoid loading custom map packs or PNG assets from unverified third-party forums.

Remediation Steps:

  1. Download the latest firmware from the FASTSHIFT repository or official updater tool.
  2. For developers compiling from source: Apply Pull Request #120 manually.
  3. For developers fixing the regression: Move the 'len' calculation inside the 'if (state->head != Z_NULL)' block to avoid the NULL pointer crash.

References

Read the full report for CVE-2026-24823 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)