CVE-2026-4111

NameCVE-2026-4111
DescriptionA flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive (PTS)bullseye3.4.3-2+deb11u1vulnerable
bullseye (security)3.4.3-2+deb11u3vulnerable
bookworm3.6.2-1+deb12u3vulnerable
bookworm (security)3.6.2-1+deb12u2vulnerable
trixie3.7.4-4vulnerable
forky, sid3.8.5-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchivesource(unstable)(unfixed)

Notes

https://github.com/libarchive/libarchive/pull/2877
Testcase: https://github.com/libarchive/libarchive/commit/ef53e2023d75a205cf7cbddb5d01c4cc592e9ce4
Fixed by: https://github.com/libarchive/libarchive/commit/7273d04803a1e5a482f26d8d0fbaf2b204a72168
Search for package or bug name: Reporting problems