OESA-2026-1944

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2026-1944

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2026-1944.json

JSON Data

https://api.osv.dev/v1/vulns/OESA-2026-1944

Upstream

CVE-2026-4424

CVE-2026-4426

CVE-2026-5121

Published

2026-04-17T13:01:16Z

Modified

2026-04-17T13:20:26.478325Z

Summary

libarchive security update

Details

is an open-source BSD-licensed C programming library that provides streaming access to a variety of different archive formats, including tar, cpio, pax, zip, and ISO9660 images. The distribution also includes bsdtar and bsdcpio, full-featured implementations of tar and cpio that use .

Security Fix(es):

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.(CVE-2026-4424)

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (pz_log2_bs) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.(CVE-2026-4426)

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.(CVE-2026-5121)

Database specific

{
    "severity": "Critical"
}

References

Affected packages

openEuler:24.03-LTS-SP2 / libarchive

Package

Name: libarchive
Purl: pkg:rpm/openEuler/libarchive&distro=openEuler-24.03-LTS-SP2

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.7.1-11.oe2403sp2

Ecosystem specific

{
    "aarch64": [
        "bsdcat-3.7.1-11.oe2403sp2.aarch64.rpm",
        "bsdcpio-3.7.1-11.oe2403sp2.aarch64.rpm",
        "bsdtar-3.7.1-11.oe2403sp2.aarch64.rpm",
        "bsdunzip-3.7.1-11.oe2403sp2.aarch64.rpm",
        "libarchive-3.7.1-11.oe2403sp2.aarch64.rpm",
        "libarchive-debuginfo-3.7.1-11.oe2403sp2.aarch64.rpm",
        "libarchive-debugsource-3.7.1-11.oe2403sp2.aarch64.rpm",
        "libarchive-devel-3.7.1-11.oe2403sp2.aarch64.rpm"
    ],
    "src": [
        "libarchive-3.7.1-11.oe2403sp2.src.rpm"
    ],
    "x86_64": [
        "bsdcat-3.7.1-11.oe2403sp2.x86_64.rpm",
        "bsdcpio-3.7.1-11.oe2403sp2.x86_64.rpm",
        "bsdtar-3.7.1-11.oe2403sp2.x86_64.rpm",
        "bsdunzip-3.7.1-11.oe2403sp2.x86_64.rpm",
        "libarchive-3.7.1-11.oe2403sp2.x86_64.rpm",
        "libarchive-debuginfo-3.7.1-11.oe2403sp2.x86_64.rpm",
        "libarchive-debugsource-3.7.1-11.oe2403sp2.x86_64.rpm",
        "libarchive-devel-3.7.1-11.oe2403sp2.x86_64.rpm"
    ],
    "noarch": [
        "libarchive-help-3.7.1-11.oe2403sp2.noarch.rpm"
    ]
}

Database specific

source

"https://repo.openeuler.org/security/data/osv/OESA-2026-1944.json"