SUSE Package Hub - SUSE-PackageHub-16.0-799

Update Info

SUSE-PackageHub-16.0-799

Security update for libarchive

Type: security

Severity: important

Issued: 2026-05-25

Description:

This update for libarchive fixes the following issues

- CVE-2026-4111: logical deadlock the RAR5 filter subsystem and the half-window output limiter leads to infinite loop
  and DoS (bsc#1259635).
- CVE-2026-4424: 257-byte heap memory leak when processing a 170-byte RAR3 (bsc#1259928).
- CVE-2026-4426: undefined behavior due to unvalidated operand in shift expression of the zisofs decompression code
  (bsc#1259931).
- CVE-2026-5121: missing validation check for pz_log2_bs can a heap buffer overflow write (bsc#1261186).

References

CVE: CVE-2026-5121
CVE: CVE-2026-4426
CVE: CVE-2026-4424
CVE: CVE-2026-4111
Bugzilla: 1261186 VUL-0: CVE-2026-5121: libarchive: libarchive: missing validation check for pz_log2_bs can a heap buffer overflow write
Bugzilla: 1259931 VUL-0: CVE-2026-4426: libarchive: libarchive: undefined behavior due to unvalidated operand in shift expression of the zisofs decompression code
Bugzilla: 1259928 VUL-0: CVE-2026-4424: libarchive: libarchive: 257-byte heap memory leak when processing a 170-byte RAR3
Bugzilla: 1259635 VUL-0: CVE-2026-4111: libarchive: libarchive: logical deadlock the RAR5 filter subsystem and the half-window output limiter leads to infinite loop and DoS

Packages

libarchive-3.8.1-160000.3.1