CVE-2026-4424

Published Mar 19, 2026

Last updated 4 days ago

CVSS high 7.5

Overview

Description: A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
Source: secalert@redhat.com
NVD status: Modified
Products: libarchive, hardened_images, openshift_container_platform, openshift_container_platform_for_arm64, openshift_container_platform_for_power, enterprise_linux, enterprise_linux_server_aus

Risk scores

CVSS 3.1

Type: Secondary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Weaknesses

secalert@redhat.com: CWE-125

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "6A51945D-40D7-4C28-B0BB-774687265DCE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.16:*:*:*:*:*:*:*",
            "matchCriteriaId": "0EBB38E1-4161-402D-8A37-74D92891AAC5",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.16:*:*:*:*:*:*:*",
            "matchCriteriaId": "D3056B67-E5C4-40A0-86BF-1D9E6637B13F",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.16:*:*:*:*:*:*:*",
            "matchCriteriaId": "0EC48A26-5827-4EC0-BE90-EA25F0A9B56C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*",
            "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*",
            "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*",
            "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References