[security][HIGH] libarchive 3.7.9: 3 CVE require triage #6

New issue

Open

opened 2026-05-25 00:46:42 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-05-25 00:46:42 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: libarchive
Version: 3.7.9
EVR: 3.7.9-2
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: HIGH
Max CVSS: 7.8
CVE count: 3

LLM recommendation / Рекомендация LLM

RU

Для пакета libarchive 3.7.9 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-5914, CVE-2026-4424, CVE-2026-5121. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for libarchive 3.7.9: CVE-2025-5914, CVE-2026-4424, CVE-2026-5121. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2025-5914	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-4424	HIGH	7.5	cpe-generic	needs_triage	generic CPE product match without version range; needs triage
CVE-2026-5121	HIGH	7.5	cpe-generic	needs_triage	generic CPE product match without version range; needs triage

Descriptions

CVE-2025-5914

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

CVE-2026-4424

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

CVE-2026-5121

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-5914",
    "CVE-2026-4424",
    "CVE-2026-5121"
  ],
  "fingerprint": "f182cced4ef131f91cdd",
  "generated_at": "2026-05-24T21:46:42Z",
  "package": "libarchive",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "3.7.9"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `libarchive` - Version: `3.7.9` - EVR: `3.7.9-2` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `HIGH` - Max CVSS: `7.8` - CVE count: `3` ## LLM recommendation / Рекомендация LLM ### RU Для пакета libarchive 3.7.9 найдены CVE-кандидаты по данным NVD/CPE: CVE-2025-5914, CVE-2026-4424, CVE-2026-5121. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for libarchive 3.7.9: CVE-2025-5914, CVE-2026-4424, CVE-2026-5121. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2025-5914 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-4424 | HIGH | 7.5 | cpe-generic | needs_triage | generic CPE product match without version range; needs triage | | CVE-2026-5121 | HIGH | 7.5 | cpe-generic | needs_triage | generic CPE product match without version range; needs triage | ## Descriptions ### CVE-2025-5914 A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition. ### CVE-2026-4424 A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction. ### CVE-2026-5121 A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-5914", "CVE-2026-4424", "CVE-2026-5121" ], "fingerprint": "f182cced4ef131f91cdd", "generated_at": "2026-05-24T21:46:42Z", "package": "libarchive", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "3.7.9" } ```