CVE-2025-5916

| EUVD-2025-17575 LOW
2025-06-09 [email protected]
3.9
CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17575
Patch Released
Mar 14, 2026 - 19:21 nvd
Patch available
CVE Published
Jun 09, 2025 - 20:15 nvd
LOW 3.9

Tags

Buffer Overflow Integer Overflow Ubuntu Debian

Description

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.

Analysis

A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0.

Technical Context

An integer overflow occurs when an arithmetic operation produces a value that exceeds the maximum (or minimum) size of the integer type used to store it. This vulnerability is classified as Integer Overflow or Wraparound (CWE-190).

Affected Products

Affected products: Libarchive Libarchive, Redhat Openshift Container Platform 4.0, Redhat Enterprise Linux 6.0

Remediation

A vendor patch is available — apply it immediately. Use safe integer arithmetic libraries. Check for overflow conditions before operations. Use appropriately sized integer types.

Priority Score

20
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +20
POC: 0

Vendor Status

Ubuntu

Priority: Medium
libarchive
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream needs-triage -
jammy released 3.6.0-1ubuntu1.5
noble released 3.7.2-2ubuntu0.5
oracular released 3.7.4-1ubuntu0.3
plucky released 3.7.7-0ubuntu2.3
questing released 3.7.7-0ubuntu3
USN-7601-1

Debian

Bug #1107623
libarchive
Release Status Fixed Version Urgency
bullseye fixed 3.4.3-2+deb11u3 -
bullseye (security) fixed 3.4.3-2+deb11u3 -
bookworm fixed 3.6.2-1+deb12u3 -
bookworm (security) vulnerable 3.6.2-1+deb12u2 -
trixie fixed 3.7.4-4 -
forky, sid fixed 3.8.5-1 -
(unstable) fixed 3.7.4-4 -
DLA-4368-1

Share

CVE-2025-5916 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy