In mspack/cab.h in libmspack before 0.8alpha and cabextract before 1.8, the CAB block input buffer is one byte too small for the maximal Quantum block, leading to an out-of-bounds write.
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-18584.json"