Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-4424PATCHED

red hat · red hat enterprise linux

Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing

Description

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Affected Products

Vendor	Product	Versions
red hat	red hat enterprise linux	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source libarchive	cert_advisory	90%
oracle	oracle linux	cert_advisory	90%
red hat	red hat enterprise linux	cert_advisory	90%

References

https://access.redhat.com/errata/RHSA-2026:8492(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8510(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8517(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8521(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8534(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8864(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8865(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8866(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8867(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8873(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:8908(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/errata/RHSA-2026:9026(vendor-advisory, x_refsource_REDHAT)
https://access.redhat.com/security/cve/CVE-2026-4424(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2449006(issue-tracking, x_refsource_REDHAT)
https://github.com/libarchive/libarchive/pull/2898

Related News (1 articles)

Tier B

BSI Advisories4d ago

[UPDATE] [mittel] libarchive: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen und DoS

→ No new info (linked only)

CVSS 3.17.5 NONE

CISA KEV❌ No

Actively exploited❌ No

Patch available

0:3.7.7-8.el10_1

CWECWE-125

PublishedMar 19, 2026

Last enriched19d ago

Trending Score17

Source articles1

Independent1

Info Completeness5/14

Missing: vendor, product, versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-0966

Libssh: buffer underflow in ssh_get_hexa() on invalid input

NONECVE-2026-40915

Gimp: gimp: heap buffer overflow due to integer overflow in fits image loader

MEDIUMCVE-2026-6383EXP

Kubevirt: kubevirt: unauthorized subresource access due to improper rbac evaluation

NONECVE-2026-0994

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any message

MEDIUMCVE-2026-37980

Org.keycloak.forms.login: keycloak: keycloak: arbitrary code execution via stored cross-site scripting (xss) in organization selection login page

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 19, 2026

Discovered by ZDM

Apr 1, 2026

Patch Available

Apr 20, 2026