CVE-2026-4426 — Incorrect Bitwise Shift of Integer in Libarchive

CWE-1335 — Incorrect Bitwise Shift of Integer7 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Libarchive Msrc Azl3 Libarchive 3.7.7-4 ON Azure Linux 3.0 Msrc Cbl2 Libarchive 3.6.1-8 ON CBL Mariner 2.0

Timeline

PublishedMar 19

Description

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libarchive

▶msrcmsrc/azl3_libarchive_3.7.7-4_on_azure_linux_3.0

▶msrcmsrc/cbl2_libarchive_3.6.1-8_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-r3fp-vrpw-pg77: A flaw was found in libarchive↗2026-03-19

▶

OSV

CVE-2026-4426: A flaw was found in libarchive↗2026-03-19

▶

📋Vendor Advisories

Red Hat

libarchive: libarchive: Denial of Service via malformed ISO file processing↗2026-03-19

▶

Microsoft

Libarchive: libarchive: denial of service via malformed iso file processing↗2026-03-10

▶

Debian

CVE-2026-4426: libarchive - A flaw was found in libarchive. An Undefined Behavior vulnerability exists in th...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4426 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶