Debian 11 libarchive Critical DoS & Remote Exploits DLA-4563-1
debian lts
May 5, 2026
Multiple vulnerabilities have been discovered in libarchive, a multi-format archive and compression C library, which also provides the following command-line tools: bsdcat, bsdcpio...
Topics Covered
Summary
CVE-2026-4111
A flaw was identified in the RAR5 archive decompression logic of the
libarchive library, specifically within the archive_read_data()
processing path. When a specially crafted RAR5 archive is processed,
the decompression routine may enter a state where internal logic
prevents forward progress. This condition results in an infinite loop
that continuously consumes CPU resources. Because the archive passes
checksum validation and appears structurally valid, affected
applications cannot detect the issue before processing. This can allow
attackers to cause persistent denial-of-service conditions in services
that automatically process archives.
CVE-2026-4424
A flaw was found in libarchive. This heap out-of-bounds read
vulnerability exists in the RAR archive processing logic due to
improper validation of the LZSS sliding window size after transitions
between compression methods. A remote attacker can exploit this by
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libarchive
Version: 3.4.3-2+deb11u4
CVE ID: CVE-2026-4111 CVE-2026-4424 CVE-2026-4426 CVE-2026-5121
Debian Bug: 1130753 1131444 1131446 1133002
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!