CVE-2025-5915

CWE-122 — Heap-based Buffer Overflow9 documents8 sources

Severity

6.6MEDIUM

EPSS

0.1%

top 74.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Libarchive Libarchive Redhat Enterprise Linux Redhat Openshift Container Platform

Timeline

PublishedJun 9

Latest updateJun 26

Description

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:HExploitability: 1.3 | Impact: 5.2

Affected Packages3 packages

▶NVDlibarchive/libarchive< 3.8.0

▶Debianlibarchive< 3.6.2-1+deb12u3+2

▶Ubuntulibarchive< 3.6.0-1ubuntu1.5+1

Also affects: Enterprise Linux 10.0, 6.0, 7.0, 8.0, 9.0, Openshift Container Platform 4.0

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

libarchive vulnerabilities↗2025-06-26

▶

CVEList

Libarchive: heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c↗2025-06-09

▶

GHSA

GHSA-rfq2-xjgr-h957: A vulnerability has been identified in the libarchive library↗2025-06-09

▶

OSV

CVE-2025-5915: A vulnerability has been identified in the libarchive library↗2025-06-09

▶

📋Vendor Advisories

Ubuntu

libarchive vulnerabilities↗2025-06-26

▶

Microsoft

Libarchive: heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c↗2025-06-10

▶

Red Hat

libarchive: Heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c↗2025-05-20

▶

Debian

CVE-2025-5915: libarchive - A vulnerability has been identified in the libarchive library. This flaw can lea...↗2025

▶