Important: libarchive can expose sensitive data or run malicious code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Important: libarchive can expose sensitive data or run malicious code

RLSA-2026:8510

Summary

Libarchive, used in popular file managers and tools like bsdtar, contains two security flaws that could allow attackers to access sensitive information or execute malicious code. This affects users who rely on libarchive for archive handling. To protect yourself, update to the latest version of libarchive.

What to do

Update libarchive to version 0:3.5.3-9.el9_7.

Affected software

Ecosystem	Vendor	Product	Affected versions
Rocky Linux:9	–	libarchive	< 0:3.5.3-9.el9_7 Fix: upgrade to 0:3.5.3-9.el9_7

Original title

Important: libarchive security update

Original description

The libarchive programming library can create and read several different streaming archive formats, including GNU tar, cpio, and ISO 9660 CD-ROM images. Libarchive is used notably in the bsdtar utility, scripting language bindings such as python-libarchive, and several popular desktop file managers.

Security Fix(es):

* libarchive: libarchive: Information disclosure via heap out-of-bounds read in RAR archive processing (CVE-2026-4424)

* libarchive: libarchive: Arbitrary code execution via integer overflow in ISO9660 image processing (CVE-2026-5121)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

osv CVSS3.1 7.5

https://errata.rockylinux.org/RLSA-2026:8510 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2449006 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2452945 Third Party Advisory

Published: 19 Apr 2026 · Updated: 19 Apr 2026 · First seen: 19 Apr 2026