Description
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
Published: 2026-03-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Assess Impact
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4563-1 libarchive security update
References
Link Providers
https://access.redhat.com/errata/RHSA-2026:10065 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:10097 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:11768 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:12071 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:12274 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:13812 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14773 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:14937 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:15087 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:16008 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:16009 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:16030 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:16174 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8492 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8510 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8517 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8521 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8534 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8864 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8865 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8866 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8867 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8873 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8908 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8944 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:9026 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:9592 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:9832 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2026-4424 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2449006 cve-icon cve-icon
https://github.com/libarchive/libarchive/pull/2898 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-4424 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-4424 cve-icon
History

Thu, 14 May 2026 22:45:00 +0000

Type Values Removed Values Added
References

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.15::el9
References

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.14::el9
References

Tue, 12 May 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat ai Inference Server
CPEs cpe:/a:redhat:ai_inference_server:3.3::el9
Vendors & Products Redhat ai Inference Server
References

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.18::el9
References

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4.12::el8
References

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat discovery
CPEs cpe:/a:redhat:discovery:2::el9
Vendors & Products Redhat discovery
References

Tue, 05 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhosemc
CPEs cpe:/a:redhat:rhosemc:1.0::el8
Vendors & Products Redhat rhosemc
References

Thu, 30 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Server Aus
Redhat hardened Images
Redhat openshift Container Platform For Arm64
Redhat openshift Container Platform For Power
CPEs cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.16:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.16:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.16:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
Vendors & Products Redhat enterprise Linux Server Aus
Redhat hardened Images
Redhat openshift Container Platform For Arm64
Redhat openshift Container Platform For Power

Thu, 30 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift:4.16::el9
References

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhui
CPEs cpe:/a:redhat:rhui:5::el9
Vendors & Products Redhat rhui
References

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat insights Proxy
CPEs cpe:/a:redhat:insights_proxy:1.5::el9
Vendors & Products Redhat insights Proxy
References

Wed, 22 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus Long Life
CPEs cpe:/o:redhat:rhel_aus:8.4::baseos
cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Vendors & Products Redhat rhel Eus Long Life
References

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhel_e4s:8.8::baseos
cpe:/o:redhat:rhel_tus:8.8::baseos
References

Mon, 20 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/o:redhat:rhel_eus:9.6::baseos
References

Mon, 20 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/o:redhat:rhel_aus:8.6::baseos
cpe:/o:redhat:rhel_e4s:8.6::baseos
cpe:/o:redhat:rhel_tus:8.6::baseos
Vendors & Products Redhat rhel Tus
References

Mon, 20 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
cpe:/o:redhat:rhel_eus:9.4::baseos
Vendors & Products Redhat rhel Eus
References

Mon, 20 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/o:redhat:enterprise_linux_eus:10.0
cpe:/o:redhat:rhel_e4s:9.2::baseos
Vendors & Products Redhat enterprise Linux Eus
References

Mon, 20 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
cpe:/o:redhat:rhel_e4s:9.0::baseos
Vendors & Products Redhat rhel E4s
References

Thu, 16 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Els
CPEs cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:rhel_aus:8.2::baseos
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Aus
Redhat rhel Els
References

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::crb
cpe:/o:redhat:enterprise_linux:8::baseos
References

Thu, 16 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Libarchive
Libarchive libarchive
Redhat openshift Container Platform
Vendors & Products Libarchive
Libarchive libarchive
Redhat openshift Container Platform

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
Title Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-125
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Libarchive Libarchive
Redhat Ai Inference Server Discovery Enterprise Linux Enterprise Linux Eus Enterprise Linux Server Aus Hardened Images Hummingbird Insights Proxy Openshift Openshift Container Platform Openshift Container Platform For Arm64 Openshift Container Platform For Power Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus Rhosemc Rhui
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-14T22:13:39.306Z

Reserved: 2026-03-19T12:23:38.191Z

Link: CVE-2026-4424

cve-icon Vulnrichment

Updated: 2026-03-19T17:07:50.644Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T15:16:28.300

Modified: 2026-05-14T23:16:37.050

Link: CVE-2026-4424

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-19T00:00:00Z

Links: CVE-2026-4424 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:27Z

Weaknesses