cbcvebase.
CVE-2024-20697
published 2024-01-09

CVE-2024-20697: Windows libarchive Remote Code Execution Vulnerability

PriorityP358high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
EPSS
72.16%
99.4th percentile
Windows libarchive Remote Code Execution Vulnerability

Affected

10 ranges
VendorProductVersion rangeFixed in
microsoftwindows_11_22h2< 10.0.22621.300710.0.22621.3007
microsoftwindows_11_23h2< 10.0.22631.300710.0.22631.3007
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.300710.0.22621.3007
microsoftwindows_11_version_22h3>= 10.0.22631.0 < 10.0.22631.300710.0.22631.3007
microsoftwindows_11_version_23h2>= 10.0.22631.0 < 10.0.22631.300710.0.22631.3007
msrcwindows_11_version_22h2_for_arm64-based_systems
msrcwindows_11_version_22h2_for_x64-based_systems
msrcwindows_11_version_23h2_for_arm64-based_systems
msrcwindows_11_version_23h2_for_x64-based_systems
msrcwindows_server_2022_23h2_edition

Detection & IOCsextracted from sources · hover to see the quote

otherRARVM filter fingerprint: 0x35AD576887
otherRARVM filter fingerprint: 0x393CD7E57E
otherRARVM filter 5th register value: 4 (triggers integer overflow to 0xFFFFFFFF)
bytes
0x52 0x61 0x72 0x21 0x1A 0x07 0x00
  • Monitor and parse traffic on FTP, HTTP, SMTP, IMAP, SMB, and POP3 for RAR archive transfers; identify RAR files by the magic byte signature 0x52 0x61 0x72 0x21 0x1A 0x07 0x00 at the start of the file.
  • Within a RAR4 (UnpVer=29) archive, parse RARVM filter structures and flag any filter whose computed fingerprint equals 0x35AD576887 or 0x393CD7E57E AND whose 5th register (initialregisters[4]) is set to 4, as this triggers the integer overflow in execute_filter_e8().
  • Focus detection on RAR archives using format version 2.9/RAR4 (FileHeader UnpVer field = 29) with compressed data (Method field != 0x30/Store), as the vulnerable code path is only reachable for this version.
  • The vulnerable function is execute_filter_e8() in libarchive/archive_read_support_format_rar.c; a heap-based buffer overflow occurs when the loop exit condition overflows to 0xFFFFFFFF, causing out-of-bounds access beyond the 0x40004-byte VM memory buffer.
  • The upstream fix for this vulnerability is tracked as CVE-2024-26256 and is available via the libarchive pull request at https://github.com/libarchive/libarchive/pull/2135; use this to verify patched vs. unpatched library versions.
  • ·The RAR4 format has no official documentation; all field names and structure descriptions are derived from UnRAR and libarchive source code, so detection logic must be validated against those implementations.
  • ·The CVE-2024-20697 identifier tracks this issue specifically in Windows systems; the upstream libarchive issue is separately tracked as CVE-2024-26256. Red Hat Enterprise Linux packages are assessed as not affected.
  • ·Despite the 'Remote Code Execution' title, the CVSS attack vector is Local (AV:L); exploitation requires user interaction (UI:R) — a victim must open a malicious RAR archive — and the attacker needs at minimum guest privileges (PR:L).

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vendor_msrc7.3HIGH
vendor_redhat7.3HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.