CVE-2025-1632Improper Resource Shutdown or Release in Libarchive

CWE-404Improper Resource Shutdown or ReleaseCWE-476NULL Pointer Dereference9 documents8 sources
Severity
4.8MEDIUMNVD
EPSS
0.0%
top 93.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LibarchiveDebian LibarchiveMsrc Azl3 Libarchive 3.7.7-2 ON Azure Linux 3.0
Timeline
PublishedFeb 24
Latest updateApr 23

Description

A vulnerability was found in libarchive up to 3.7.7. It has been classified as problematic. This affects the function list of the file bsdunzip.c. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages6 packages

debiandebian/libarchive< libarchive 3.7.4-2 (forky)
Debianlibarchive/libarchive< 3.7.4-2+1
Ubuntulibarchive/libarchive< 3.4.0-2ubuntu1.5+2
CVEListV5libarchive/libarchive8 versions+7

🔴Vulnerability Details

4
OSV
libarchive vulnerabilities2025-04-23
CVEList
libarchive bsdunzip.c list null pointer dereference2025-02-24
OSV
CVE-2025-1632: A vulnerability was found in libarchive up to 32025-02-24
GHSA
GHSA-cw9m-pj72-3cj5: A vulnerability was found in libarchive up to 32025-02-24

📋Vendor Advisories

4
Ubuntu
libarchive vulnerabilities2025-04-23
Red Hat
libarchive: null pointer dereference in bsdunzip.c2025-02-24
Microsoft
libarchive bsdunzip.c list null pointer dereference2025-02-11
Debian
CVE-2025-1632: libarchive - A vulnerability was found in libarchive up to 3.7.7. It has been classified as p...2025