CVE-2025-60753Uncontrolled Resource Consumption in Libarchive

CWE-400Uncontrolled Resource ConsumptionCWE-835Infinite Loop8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 93.45%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
LibarchiveDebian LibarchiveMsrc Azl3 Libarchive 3.7.7-3 ON Azure Linux 3.0+3 more
Timeline
PublishedNov 5
Latest updateApr 2

Description

An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

debiandebian/libarchive< libarchive 3.8.4-1 (forky)
Debianlibarchive/libarchive< 3.8.4-1
Ubuntulibarchive/libarchive< 3.6.0-1ubuntu1.6+6

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
libarchive vulnerabilities2026-04-02
OSV
CVE-2025-60753: An issue was discovered in libarchive bsdtar before version 32025-11-05
GHSA
GHSA-qm3h-46xc-w7w4: An issue was discovered in libarchive bsdtar before version 32025-11-05

📋Vendor Advisories

4
Ubuntu
libarchive vulnerabilities2026-04-02
Microsoft
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allo2025-11-11
Red Hat
libarchive: bsdtar hangs and OOMs with zero-length pattern matches2025-11-05
Debian
CVE-2025-60753: libarchive - An issue was discovered in libarchive bsdtar before version 3.8.1 in function ap...2025