EUVD-2025-17576

| CVE-2025-5915 MEDIUM
2025-06-09 [email protected]
6.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 14, 2026 - 19:21 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:21 euvd
EUVD-2025-17576
Patch Released
Mar 14, 2026 - 19:21 nvd
Patch available
CVE Published
Jun 09, 2025 - 20:15 nvd
MEDIUM 6.6

Tags

Buffer Overflow Heap Overflow Denial Of Service Ubuntu Debian Openshift Container Platform Enterprise Linux Libarchive Redhat Suse

Description

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

Analysis

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

Technical Context

A buffer overflow occurs when data written to a buffer exceeds its allocated size, potentially overwriting adjacent memory and corrupting program state. This vulnerability is classified as Heap-based Buffer Overflow (CWE-122).

Affected Products

Affected products: Libarchive Libarchive, Redhat Openshift Container Platform 4.0, Redhat Enterprise Linux 6.0

Remediation

A vendor patch is available — apply it immediately. Use memory-safe languages or bounds-checked functions. Enable ASLR, DEP/NX, and stack canaries. Apply vendor patches promptly.

Priority Score

33
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +33
POC: 0

Vendor Status

Ubuntu

Priority: Medium
libarchive
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
upstream needs-triage -
jammy released 3.6.0-1ubuntu1.5
noble released 3.7.2-2ubuntu0.5
oracular released 3.7.4-1ubuntu0.3
plucky released 3.7.7-0ubuntu2.3
questing released 3.7.7-0ubuntu3
USN-7601-1

Debian

Bug #1107622
libarchive
Release Status Fixed Version Urgency
bullseye not-affected - -
bullseye (security) fixed 3.4.3-2+deb11u3 -
bookworm fixed 3.6.2-1+deb12u3 -
bookworm (security) vulnerable 3.6.2-1+deb12u2 -
trixie fixed 3.7.4-4 -
forky, sid fixed 3.8.5-1 -
(unstable) fixed 3.7.4-4 -

Share

EUVD-2025-17576 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy