RHSA-2026:5063 Red Hat Security Advisory: libarchive security update
Details
CVSS v3
7.5
NVD published
2026-03-13 19:55:13
EPSS
<0.1% probability · 11.0th percentile — 2026-03-18
Affected versions
All unpatched versions of libarchive with RAR5 decompression support
Summary
This vulnerability exists in the RAR5 archive decompression logic of the libarchive library. A threat actor can craft a specially crafted RAR5 archive that triggers an infinite loop when processed by the vulnerable function. The malicious archive passes initial checksum and structural validation, so it cannot be detected prior to processing. Successful exploitation leads to persistent denial of service by exhausting CPU resources on affected systems.
Remediation
Update libarchive to the latest patched version from the official libarchive project that resolves this flaw. If immediate full updates are not feasible, restrict processing of untrusted user-supplied archives with the affected libarchive installation. Test patches after deployment to confirm no compatibility issues with dependent applications.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.