Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-5121

red hat · red hat enterprise linux

Libarchive: libarchive: arbitrary code execution via integer overflow in iso9660 image processing

Description

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Affected Products

Vendor	Product	Versions
red hat	red hat enterprise linux	—

References

https://access.redhat.com/security/cve/CVE-2026-5121(vdb-entry, x_refsource_REDHAT)
https://github.com/libarchive/libarchive/pull/2934

Related News (2 articles)

Tier B

BSI Advisories9h ago

[NEU] [mittel] libarchive: Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-5121 | libarchive on 32-bit ISO9660 Image Parser heap-based overflow

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

PublishedMar 30, 2026

Last enriched1d agov2

Trending Score54

Source articles2

Independent2

Info Completeness5/14

Missing: versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-1961EXP

Forman: foreman: remote code execution via command injection in websocket proxy

NONECVE-2026-28369EXP

Undertow: undertow: request smuggling via malformed http request headers

NONECVE-2026-28367EXP

Undertow: undertow: request smuggling via `\r\r\r` as a header block terminator

NONECVE-2026-5165EXP

Virtio-win: virtio-win: memory corruption via use-after-free in virtio blk device reset

NONECVE-2026-5119EXP

Libsoup: libsoup: information disclosure via cleartext transmission of cookies during https tunnel establishment

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Updated: description, severity

Mar 30, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL, clarified that the vulnerability is cataloged as CVE-2026-5121, and corrected the status of exploit availability.

descriptionseverity

via VulDB

v11d ago

Initial creation