Skip to main content

libarchive CVE-2026-14164

| EUVDEUVD-2026-40259 HIGH
Double Free (CWE-415)
2026-06-30 redhat GHSA-xq96-f7x8-gfx3
7.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Triggered by parsing attacker-supplied archive data without privileges or interaction (AV:N/AC:L/PR:N/UI:N); impact is limited to a process crash so only A:H, with C:N/I:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
7.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 07:32 vuln.today
CVE Published
Jun 30, 2026 - 06:29 nvd
HIGH 7.5

DescriptionCVE.org

A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.

AnalysisAI

Denial of service in libarchive's RAR5 reader allows remote attackers to crash applications that decompress untrusted RAR5 archives via a double-free (CWE-415) of the stale filtered_buf pointer. Reported by Red Hat and affecting libarchive as shipped across Red Hat Enterprise Linux 6 through 10, OpenShift Container Platform 4, and Red Hat Hardened Images, the flaw is triggered purely by parsing a malicious archive entry. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Submit crafted multi-entry RAR5 archive
Delivery
libarchive RAR5 reader reinitializes unpack state, frees filtered_buf
Exploit
Stale pointer survives into next entry
Execution
Second free triggers double-free
Persist
Heap corruption aborts process
Impact
Application denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target application use libarchive's RAR5 reader to parse an attacker-supplied, specially crafted RAR5 archive in which the unpacking state is reinitialized (freeing filtered_buf) and then a subsequent archive entry is processed, triggering the second free - so a multi-entry malicious RAR5 archive is the concrete prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent and point to a moderate, availability-only risk rather than a critical one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious RAR5 archive whose entries force the RAR5 unpacker through a state reinitialization that leaves filtered_buf stale, then arranges for a victim application - for example an email/antivirus gateway, file-sharing backend, or backup tool that auto-extracts uploads - to parse it. Processing a later entry triggers the second free of the same buffer, corrupting the heap and aborting the process, causing denial of service. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the libarchive correction from pull request https://github.com/libarchive/libarchive/pull/3071 once it lands in a tagged release, and for Red Hat systems install the updated libarchive package when published per the advisory at https://access.redhat.com/security/cve/CVE-2026-14164 (track via Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2493411). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production systems using libarchive with RAR5 decompression capability, particularly in automated processing pipelines and user-facing services. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-14164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy