CVE-2026-5745

NameCVE-2026-5745
DescriptionA flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1132998

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libarchive (PTS)bullseye3.4.3-2+deb11u1vulnerable
bullseye (security)3.4.3-2+deb11u3vulnerable
bookworm3.6.2-1+deb12u3vulnerable
bookworm (security)3.6.2-1+deb12u2vulnerable
trixie3.7.4-4vulnerable
forky3.8.5-1vulnerable
sid3.8.6-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libarchivesource(unstable)(unfixed)unimportant1132998

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=2455921
https://github.com/libarchive/libarchive/issues/2904
https://github.com/libarchive/libarchive/issues/2904#issuecomment-4257068822
No security impact
Search for package or bug name: Reporting problems