CVE-2026-5121

A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2026:10065
https://access.redhat.com/errata/RHSA-2026:8510
https://access.redhat.com/errata/RHSA-2026:8517
https://access.redhat.com/errata/RHSA-2026:8521
https://access.redhat.com/errata/RHSA-2026:8534
https://access.redhat.com/errata/RHSA-2026:8864
https://access.redhat.com/errata/RHSA-2026:8866
https://access.redhat.com/errata/RHSA-2026:8867
https://access.redhat.com/errata/RHSA-2026:8873
https://access.redhat.com/errata/RHSA-2026:8908
https://access.redhat.com/errata/RHSA-2026:9026
https://access.redhat.com/errata/RHSA-2026:9592
https://access.redhat.com/errata/RHSA-2026:9832
https://access.redhat.com/security/cve/CVE-2026-5121	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2452945
https://github.com/advisories/GHSA-2vwv-vqpv-v8vc	Third Party Advisory
https://github.com/libarchive/libarchive/pull/2934	Issue Tracking Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:libarchive:libarchive:-:::::::*
	cpe:2.3:a:redhat:hardened_images:-:::::::*
	cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:7.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:10.0:::::::*

History

23 Apr 2026, 07:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:10065 -

22 Apr 2026, 18:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:9832 -

22 Apr 2026, 07:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:9592 -

20 Apr 2026, 14:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:9026 -

20 Apr 2026, 09:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8866 -

20 Apr 2026, 06:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8908 -

20 Apr 2026, 05:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8873 -

20 Apr 2026, 04:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8864 -

20 Apr 2026, 03:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8867 -

16 Apr 2026, 20:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8517 - () https://access.redhat.com/errata/RHSA-2026:8521 -

16 Apr 2026, 19:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8534 -

16 Apr 2026, 17:16

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2026:8510 -

14 Apr 2026, 17:16

Type	Values Removed	Values Added
References		() https://bugzilla.redhat.com/show_bug.cgi?id=2452945 -

14 Apr 2026, 16:36

Type	Values Removed	Values Added
CPE		cpe:2.3:o:redhat:enterprise_linux:10.0:::::::* cpe:2.3:a:redhat:hardened_images:-:::::::* cpe:2.3:o:redhat:enterprise_linux:9.0:::::::* cpe:2.3:o:redhat:enterprise_linux:7.0:::::::* cpe:2.3:o:redhat:enterprise_linux:6.0:::::::* cpe:2.3:a:redhat:openshift_container_platform:4.0:::::::* cpe:2.3:o:redhat:enterprise_linux:8.0:::::::* cpe:2.3:a:libarchive:libarchive:-:::::::*
References	~~() https://access.redhat.com/security/cve/CVE-2026-5121 -~~	() https://access.redhat.com/security/cve/CVE-2026-5121 - Third Party Advisory
References	~~() https://github.com/advisories/GHSA-2vwv-vqpv-v8vc -~~	() https://github.com/advisories/GHSA-2vwv-vqpv-v8vc - Third Party Advisory
References	~~() https://github.com/libarchive/libarchive/pull/2934 -~~	() https://github.com/libarchive/libarchive/pull/2934 - Issue Tracking, Patch
First Time		Redhat Redhat enterprise Linux Libarchive libarchive Libarchive Redhat hardened Images Redhat openshift Container Platform

14 Apr 2026, 16:16

Type	Values Removed	Values Added
References		() https://github.com/advisories/GHSA-2vwv-vqpv-v8vc -
CVSS	v2 : ~~unknown~~ v3 : ~~9.8~~	v2 : unknown v3 : 7.5
Summary		(es) Se encontró un fallo en libarchive. En sistemas de 32 bits, existe una vulnerabilidad de desbordamiento de entero en la lógica de asignación de punteros de bloque zisofs. Un atacante remoto puede explotar esto al proporcionar una imagen ISO9660 especialmente diseñada, lo que puede llevar a un desbordamiento de búfer de pila. Esto podría permitir potencialmente la ejecución de código arbitrario en el sistema afectado.

31 Mar 2026, 15:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE		CWE-190

30 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 08:16

Updated : 2026-04-23 07:16

NVD link : CVE-2026-5121

Mitre link : CVE-2026-5121

CVE.ORG link : CVE-2026-5121

JSON object : View

Products Affected

libarchive

libarchive

redhat

openshift_container_platform
enterprise_linux
hardened_images

CWE

CWE-190

Integer Overflow or Wraparound

7.5 /10