CVE-2025-25724Unchecked Return Value in Libarchive

CWE-252Unchecked Return Value12 documents9 sources
Severity
7.8HIGHNVD
CNA4.0OSV5.5OSV4.8
EPSS
0.0%
top 92.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
LibarchiveDebian Libarchive
Timeline
PublishedMar 2
Latest updateApr 2

Description

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

debiandebian/libarchive< libarchive 3.8.4-1 (forky)
Debianlibarchive/libarchive< 3.8.4-1
Ubuntulibarchive/libarchive< 3.4.0-2ubuntu1.5+9
CVEListV5libarchive/libarchive3.7.7

🔴Vulnerability Details

5
OSV
libarchive vulnerabilities2026-04-02
OSV
libarchive vulnerabilities2025-04-23
OSV
CVE-2025-25724: list_item_verbose in tar/util2025-03-02
CVEList
CVE-2025-25724: list_item_verbose in tar/util2025-03-02
GHSA
GHSA-722w-734r-qg74: list_item_verbose in tar/util2025-03-02

📋Vendor Advisories

6
Ubuntu
libarchive vulnerabilities2026-04-02
Oracle
Oracle Oracle Communications Risk Matrix: Core (libarchive) — CVE-2025-257242025-10-15
Ubuntu
libarchive vulnerabilities2025-04-23
Microsoft
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is2025-03-11
Red Hat
libarchive: Buffer Overflow vulnerability in libarchive2025-03-02