Skip to main content

libarchive CVE-2026-5121

| EUVDEUVD-2026-17073 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-03-30 redhat
High
Disputed · 7.5 Vendor: redhat
Temporal: 9.8
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (redhat) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CIRCL (temporal)
9.8 CRITICAL
cvss
SUSE
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

14
Analysis Updated
Apr 22, 2026 - 07:27 vuln.today
v8 (cvss_changed)
Analysis Updated
Apr 20, 2026 - 14:27 vuln.today
v7 (cvss_changed)
Analysis Updated
Apr 20, 2026 - 09:44 vuln.today
v6 (cvss_changed)
Analysis Updated
Apr 20, 2026 - 06:27 vuln.today
v5 (cvss_changed)
Analysis Updated
Apr 20, 2026 - 05:27 vuln.today
v4 (cvss_changed)
Analysis Updated
Apr 20, 2026 - 04:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Apr 20, 2026 - 03:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
Apr 14, 2026 - 16:22 NVD
CRITICAL HIGH
CVSS changed
Apr 14, 2026 - 16:22 NVD
9.8 (CRITICAL) 7.5 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 30, 2026 - 08:15 euvd
EUVD-2026-17073
Analysis Generated
Mar 30, 2026 - 08:15 vuln.today
CVE Published
Mar 30, 2026 - 07:47 nvd
CRITICAL 9.8

DescriptionCVE.org

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

AnalysisAI

Remote code execution in libarchive on 32-bit systems allows unauthenticated attackers to execute arbitrary code via specially crafted ISO9660 images. The vulnerability affects Red Hat Enterprise Linux versions 6 through 10 and OpenShift Container Platform 4, with vendor patches released across multiple RHSA advisories. Despite the CVSS 7.5 score and network attack vector, EPSS exploitation probability is low (0.05%, 16th percentile) and no public exploit is identified at time of analysis, though SSVC classifies the vulnerability as automatable with total technical impact.

Technical ContextAI

This vulnerability affects libarchive, a widely-used multi-format archive and compression library. The flaw resides in the zisofs (compressed ISO9660 filesystem) block pointer allocation logic, specifically impacting 32-bit system architectures. CWE-190 integer overflow occurs when processing zisofs block pointers in maliciously crafted ISO9660 images, causing an undersized heap allocation. Subsequent writes overflow this buffer, enabling memory corruption and potential code execution. The vulnerability is particularly relevant for systems using libarchive to process untrusted archive files, including package managers, backup tools, and file extraction utilities. Red Hat's CPE data indicates widespread exposure across RHEL 6-10 and containerized environments running OpenShift Container Platform 4, where libarchive is a core dependency for RPM package management and container image handling.

RemediationAI

Apply vendor-released patches immediately for affected Red Hat Enterprise Linux and OpenShift Container Platform deployments by installing updated libarchive packages through the referenced RHSA advisories (RHSA-2026:8510, 8534, 8517, 8521, 8867, 8864, 8873, 8908, 8866) available at https://access.redhat.com/errata/. Upstream fix available via GitHub pull request #2934 at https://github.com/libarchive/libarchive/pull/2934, though released patched version numbers are not independently confirmed from available data. For systems that cannot be immediately patched, implement defense-in-depth controls: restrict processing of untrusted ISO9660 images to isolated sandbox environments with limited privileges, disable automatic mounting or extraction of ISO images from untrusted sources, and implement file type validation before passing archives to libarchive. Note that blocking ISO9660 format entirely may break legitimate workflows involving CD/DVD images or software distribution. On systems with both 32-bit and 64-bit architecture support, prioritize migration to 64-bit builds where feasible, as the vulnerability specifically affects 32-bit systems. Monitor Red Hat security advisories and Debian security tracker for distribution-specific patch releases if using Debian-based systems.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

Debian

libarchive
Release Status Fixed Version Urgency
bullseye vulnerable 3.4.3-2+deb11u1 -
bullseye (security) vulnerable 3.4.3-2+deb11u3 -
bookworm vulnerable 3.6.2-1+deb12u3 -
bookworm (security) vulnerable 3.6.2-1+deb12u2 -
trixie vulnerable 3.7.4-4 -
forky, sid vulnerable 3.8.5-1 -
(unstable) fixed (unfixed) -

SUSE

Severity: Critical
Product Status
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-5121 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy