libarchive-3.3.3-7.el8_10

エラータID: AXSA:2026-475:03

Release date: 
Tuesday, April 21, 2026 - 14:33
Subject: 
libarchive-3.3.3-7.el8_10
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers.

Security Fix(es):

* libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing (CVE-2026-4424)
* libarchive: libarchive: Arbitrary code execution via integer overflow in ISO9660 image processing (CVE-2026-5121)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2026-4424
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
CVE-2026-5121
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

Solution: 

Update packages.

CVEs: 
CVE-2026-4424
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
CVE-2026-5121
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.
Additional Info: 

N/A

Download: 

SRPMS
  1. libarchive-3.3.3-7.el8_10.src.rpm
    MD5: b19f046a344b9764556421a1499d8cc3
    SHA-256: c1dea175df4a6574bb835c9c5f02396bffc5649723094cd62eec334fdef91d5e
    Size: 6.27 MB

Asianux Server 8 for x86_64
  1. bsdtar-3.3.3-7.el8_10.x86_64.rpm
    MD5: cee7c67105109423d914a7bae694d146
    SHA-256: e9059fc4e58e1bef97b33e10f3e8b731683720132857ed2656fea9521a4c21f1
    Size: 70.16 kB
  2. libarchive-3.3.3-7.el8_10.i686.rpm
    MD5: d906f2cccf694306cbddc61297c21f23
    SHA-256: 36452c661478b26692a130187a6203627837e57b5473ebee5fc68f6990b03d48
    Size: 400.57 kB
  3. libarchive-3.3.3-7.el8_10.x86_64.rpm
    MD5: 83f500b8b5f24e584c4cdcde42b5ff26
    SHA-256: 4eae9e002032bc60ddb086238d2d607a873d54895e96778346e71c52792b8841
    Size: 359.26 kB
  4. libarchive-devel-3.3.3-7.el8_10.i686.rpm
    MD5: c0d9833dc3fe7f5c20a51c5ca80c72ea
    SHA-256: 86f388d7be14a0b1ff04b3a951f2b3aef7c65a327444721df0ff39da00a69d76
    Size: 131.03 kB
  5. libarchive-devel-3.3.3-7.el8_10.x86_64.rpm
    MD5: bdc75acb2d29b9b678ad2360713f4b63
    SHA-256: 71ccb91a04d97dace8f5d038adde7964cbfc4e8b22cac1c47d06012a2f857825
    Size: 131.01 kB