CVE-2026-4424 — Out-of-bounds Read in Libarchive

CWE-125 — Out-of-bounds Read8 documents8 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 49.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libarchive Msrc Azl3 Libarchive 3.7.7-4 ON Azure Linux 3.0 Msrc Cbl2 Libarchive 3.6.1-8 ON CBL Mariner 2.0

Timeline

PublishedMar 19

Description

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libarchive

▶msrcmsrc/azl3_libarchive_3.7.7-4_on_azure_linux_3.0

▶msrcmsrc/cbl2_libarchive_3.6.1-8_on_cbl_mariner_2.0

🔴Vulnerability Details

OSV

CVE-2026-4424: A flaw was found in libarchive↗2026-03-19

▶

GHSA

GHSA-c75f-55f6-f63q: A flaw was found in libarchive↗2026-03-19

▶

📋Vendor Advisories

Red Hat

libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing↗2026-03-19

▶

Microsoft

Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing↗2026-03-10

▶

Debian

CVE-2026-4424: libarchive - A flaw was found in libarchive. This heap out-of-bounds read vulnerability exist...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4424 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-4424 libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing↗2026-03-19

▶