CVE-2025-5915

NameCVE-2025-5915
DescriptionA vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1107622

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive (PTS)bullseye3.4.3-2+deb11u1vulnerable
bullseye (security)3.4.3-2+deb11u2vulnerable
bookworm3.6.2-1+deb12u3fixed
bookworm (security)3.6.2-1+deb12u2vulnerable
forky, sid, trixie3.7.4-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchivesourcebookworm3.6.2-1+deb12u3
libarchivesource(unstable)3.7.4-41107622

Notes

[bullseye] - libarchive <postponed> (Minor issue)
https://github.com/libarchive/libarchive/pull/2599
Fixed by: https://github.com/libarchive/libarchive/commit/a612bf62f86a6faa47bd57c52b94849f0a404d8c (v3.8.0)
Search for package or bug name: Reporting problems