CVE-2022-26280 — Out-of-bounds Read in Libarchive

CWE-125 — Out-of-bounds Read8 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 68.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Debian Libarchive Fedoraproject Fedora +3 more

Timeline

PublishedMar 28

Latest updateApr 11

Description

Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:HExploitability: 2.2 | Impact: 4.2

Affected Packages6 packages

▶debiandebian/libarchive< libarchive 3.6.2-1 (bookworm)

▶Debianlibarchive/libarchive< 3.4.3-2+deb11u2+3

▶NVDlibarchive/libarchive3.6.0

▶msrcmsrc/cbl2_libarchive_3.6.1-1_on_cbl_mariner_2.0

▶msrcmsrc/cbl_mariner_2.0_arm

Also affects: Fedora 36

🔴Vulnerability Details

GHSA

GHSA-v37p-j5qh-w8c9: Libarchive v3↗2022-03-30

▶

OSV

CVE-2022-26280: Libarchive v3↗2022-03-28

▶

CVEList

CVE-2022-26280: Libarchive v3↗2022-03-28

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerability↗2022-04-11

▶

Red Hat

libarchive: an out-of-bounds read via the component zipx_lzma_alone_init↗2022-03-29

▶

Microsoft

Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.↗2022-03-08

▶

Debian

CVE-2022-26280: libarchive - Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the compon...↗2022

▶