A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00364.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Red Hat Red Hat Enterprise Linux 10 affected
Version Status Constraints
0:3.7.7-8.el10_1 unaffected < *
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support affected
Version Status Constraints
0:3.7.7-5.el10_0 unaffected < *
Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support affected
Version Status Constraints
0:3.1.2-14.el7_9.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8 affected
Version Status Constraints
0:3.3.3-7.el8_10 unaffected < *
Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support affected
Version Status Constraints
0:3.3.2-8.el8_2.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support affected
Version Status Constraints
0:3.3.3-1.el8_4.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On affected
Version Status Constraints
0:3.3.3-1.el8_4.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support affected
Version Status Constraints
0:3.3.3-6.el8_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service affected
Version Status Constraints
0:3.3.3-6.el8_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions affected
Version Status Constraints
0:3.3.3-6.el8_6.1 unaffected < *
Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service affected
Version Status Constraints
0:3.3.3-5.el8_8.2 unaffected < *
Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions affected
Version Status Constraints
0:3.3.3-5.el8_8.2 unaffected < *
Red Hat Red Hat Enterprise Linux 9 affected
Version Status Constraints
0:3.5.3-9.el9_7 unaffected < *
Red Hat Red Hat Enterprise Linux 9 affected
Version Status Constraints
0:3.5.3-9.el9_7 unaffected < *
Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions affected
Version Status Constraints
0:3.5.3-2.el9_0.4 unaffected < *
Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions affected
Version Status Constraints
0:3.5.3-5.el9_2.2 unaffected < *
Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support affected
Version Status Constraints
0:3.5.3-5.el9_4 unaffected < *
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support affected
Version Status Constraints
0:3.5.3-7.el9_6.1 unaffected < *
Red Hat Red Hat OpenShift Container Platform 4.16 affected
Version Status Constraints
416.94.202604211449-0 unaffected < *
Red Hat Red Hat Hardened Images affected
Version Status Constraints
3.8.7-1.hum1 unaffected < *
Red Hat Red Hat Insights proxy 1.5 affected
Version Status Constraints
1776868961 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1776868774 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1776868744 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1776868772 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1776868842 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1777459441 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1777454300 unaffected < *
Red Hat Red Hat Update Infrastructure 5 affected
Version Status Constraints
1777459504 unaffected < *
Red Hat Red Hat Enterprise Linux 6 unknown

Configuration 1 [-]

OR cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.16:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.16:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.16:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Libarchive Subscribe
Libarchive Subscribe
Redhat Subscribe
Enterprise Linux Subscribe
Openshift Container Platform Subscribe

Project Subscriptions

Vendors Products
Libarchive Subscribe
Libarchive Subscribe
Redhat Subscribe
Enterprise Linux Subscribe
Enterprise Linux Eus Subscribe
Enterprise Linux Server Aus Subscribe
Hardened Images Subscribe
Hummingbird Subscribe
Insights Proxy Subscribe
Openshift Subscribe
Openshift Container Platform Subscribe
Openshift Container Platform For Arm64 Subscribe
Openshift Container Platform For Power Subscribe
Rhel Aus Subscribe
Rhel E4s Subscribe
Rhel Els Subscribe
Rhel Eus Subscribe
Rhel Eus Long Life Subscribe
Rhel Tus Subscribe
Rhui Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

References
Link Providers
https://access.redhat.com/errata/RHSA-2026:10065 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:10097 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:11768 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8492 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8510 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8517 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8521 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8534 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8864 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8865 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8866 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8867 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8873 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8908 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:8944 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:9026 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:9592 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2026:9832 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2026-4424 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2449006 cve-icon cve-icon
https://github.com/libarchive/libarchive/pull/2898 cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-4424 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-4424 cve-icon
History

Thu, 30 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Server Aus
Redhat hardened Images
Redhat openshift Container Platform For Arm64
Redhat openshift Container Platform For Power
CPEs cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.16:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.16:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform_for_power:4.16:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
Vendors & Products Redhat enterprise Linux Server Aus
Redhat hardened Images
Redhat openshift Container Platform For Arm64
Redhat openshift Container Platform For Power

Thu, 30 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:openshift:4 cpe:/a:redhat:openshift:4.16::el9
References

Wed, 29 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhui
CPEs cpe:/a:redhat:rhui:5::el9
Vendors & Products Redhat rhui
References

Wed, 22 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat insights Proxy
CPEs cpe:/a:redhat:insights_proxy:1.5::el9
Vendors & Products Redhat insights Proxy
References

Wed, 22 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus Long Life
CPEs cpe:/o:redhat:rhel_aus:8.4::baseos
cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Vendors & Products Redhat rhel Eus Long Life
References

Mon, 20 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:rhel_e4s:8.8::baseos
cpe:/o:redhat:rhel_tus:8.8::baseos
References

Mon, 20 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/o:redhat:rhel_eus:9.6::baseos
References

Mon, 20 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Tus
CPEs cpe:/o:redhat:rhel_aus:8.6::baseos
cpe:/o:redhat:rhel_e4s:8.6::baseos
cpe:/o:redhat:rhel_tus:8.6::baseos
Vendors & Products Redhat rhel Tus
References

Mon, 20 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
cpe:/o:redhat:rhel_eus:9.4::baseos
Vendors & Products Redhat rhel Eus
References

Mon, 20 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/o:redhat:enterprise_linux_eus:10.0
cpe:/o:redhat:rhel_e4s:9.2::baseos
Vendors & Products Redhat enterprise Linux Eus
References

Mon, 20 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
cpe:/o:redhat:rhel_e4s:9.0::baseos
Vendors & Products Redhat rhel E4s
References

Thu, 16 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Els
CPEs cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:rhel_aus:8.2::baseos
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Aus
Redhat rhel Els
References

Thu, 16 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::crb
cpe:/o:redhat:enterprise_linux:8::baseos
References

Thu, 16 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:9 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/o:redhat:enterprise_linux:9::baseos
References

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:10.1
References

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Libarchive
Libarchive libarchive
Redhat openshift Container Platform
Vendors & Products Libarchive
Libarchive libarchive
Redhat openshift Container Platform

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 19 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
Title Libarchive: libarchive: information disclosure via heap out-of-bounds read in rar archive processing
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-125
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-30T12:47:07.654Z

Reserved: 2026-03-19T12:23:38.191Z

Link: CVE-2026-4424

cve-icon Vulnrichment

Updated: 2026-03-19T17:07:50.644Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T15:16:28.300

Modified: 2026-04-30T18:44:39.780

Link: CVE-2026-4424

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-19T00:00:00Z

Links: CVE-2026-4424 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:27Z

Weaknesses