{
  "threat_severity" : "Moderate",
  "public_date" : "2026-03-30T07:44:15Z",
  "bugzilla" : {
    "description" : "libarchive: libarchive: Arbitrary code execution via integer overflow in ISO9660 image processing",
    "id" : "2452945",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2452945"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-190",
  "details" : [ "A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.", "A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system." ],
  "statement" : "Important: An integer overflow flaw in `libarchive` on 32-bit systems can lead to a heap buffer overflow. This vulnerability occurs when processing a specially crafted ISO9660 image, allowing an attacker to potentially execute arbitrary code. Red Hat Enterprise Linux 64-bit systems are not affected by this flaw.",
  "acknowledgement" : "Red Hat would like to thank Elhanan Haenel for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8517",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "libarchive-0:3.1.2-14.el7_9.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8534",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "libarchive-0:3.3.3-7.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8521",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.2",
    "package" : "libarchive-0:3.3.2-8.el8_2.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2026-04-22T00:00:00Z",
    "advisory" : "RHSA-2026:9592",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.4",
    "package" : "libarchive-0:3.3.3-1.el8_4.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2026-04-22T00:00:00Z",
    "advisory" : "RHSA-2026:9592",
    "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4",
    "package" : "libarchive-0:3.3.3-1.el8_4.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8908",
    "cpe" : "cpe:/o:redhat:rhel_aus:8.6",
    "package" : "libarchive-0:3.3.3-6.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8908",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.6",
    "package" : "libarchive-0:3.3.3-6.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8908",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.6",
    "package" : "libarchive-0:3.3.3-6.el8_6.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9026",
    "cpe" : "cpe:/o:redhat:rhel_tus:8.8",
    "package" : "libarchive-0:3.3.3-5.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9026",
    "cpe" : "cpe:/o:redhat:rhel_e4s:8.8",
    "package" : "libarchive-0:3.3.3-5.el8_8.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8510",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "libarchive-0:3.5.3-9.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8510",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "libarchive-0:3.5.3-9.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8867",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "libarchive-0:3.5.3-2.el9_0.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8864",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2",
    "package" : "libarchive-0:3.5.3-5.el9_2.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8873",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "libarchive-0:3.5.3-5.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8866",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "libarchive-0:3.5.3-7.el9_6.1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.12",
    "release_date" : "2026-05-08T00:00:00Z",
    "advisory" : "RHSA-2026:12274",
    "cpe" : "cpe:/a:redhat:openshift:4.12::el8",
    "package" : "rhcos-412.86.202604281506-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.14",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:15087",
    "cpe" : "cpe:/a:redhat:openshift:4.14::el9",
    "package" : "rhcos-414.92.202605060243-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.15",
    "release_date" : "2026-05-13T00:00:00Z",
    "advisory" : "RHSA-2026:14773",
    "cpe" : "cpe:/a:redhat:openshift:4.15::el9",
    "package" : "rhcos-415.92.202605060220-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2026-04-30T00:00:00Z",
    "advisory" : "RHSA-2026:10097",
    "cpe" : "cpe:/a:redhat:openshift:4.16::el9",
    "package" : "rhcos-416.94.202604211449-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:17596",
    "cpe" : "cpe:/a:redhat:openshift:4.17::el9",
    "package" : "rhcos-417.94.202605112123-0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.18",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:12071",
    "cpe" : "cpe:/a:redhat:openshift:4.18::el9",
    "package" : "rhcos-418.94.202604240015-0"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-businesscentral-monitoring-rhel8:7.13.5-4.1777325677"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-businesscentral-rhel8:7.13.5-4.1777325711"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-controller-rhel8:7.13.5-4.1777325710"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-dashbuilder-rhel8:7.13.5-3.1777325680"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-kieserver-rhel8:7.13.5-4.1777325709"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-process-migration-rhel8:7.13.5-4.1777325680"
  }, {
    "product_name" : "RHEL-8 based Middleware Containers",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13812",
    "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8",
    "package" : "rhpam-7/rhpam-smartrouter-rhel8:7.13.5-4.1777325708"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19724",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/vllm-cuda-rhel9:1779223654"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.2",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19725",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.2::el9",
    "package" : "rhaiis/vllm-rocm-rhel9:1779223651"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.3",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16008",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9",
    "package" : "rhaiis/model-opt-cuda-rhel9:1778244559"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.3",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16009",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9",
    "package" : "rhaiis/vllm-rocm-rhel9:1778244531"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.3",
    "release_date" : "2026-05-11T00:00:00Z",
    "advisory" : "RHSA-2026:16030",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9",
    "package" : "rhaiis/vllm-cuda-rhel9:1778274666"
  }, {
    "product_name" : "Red Hat AI Inference Server 3.3",
    "release_date" : "2026-05-12T00:00:00Z",
    "advisory" : "RHSA-2026:16174",
    "cpe" : "cpe:/a:redhat:ai_inference_server:3.3::el9",
    "package" : "rhaiis/vllm-spyre-rhel9:1778244546"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-05-07T00:00:00Z",
    "advisory" : "RHSA-2026:14937",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-ui-rhel9:1778156756"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:8944",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "libarchive-main-3.8.7-1.hum1"
  }, {
    "product_name" : "Red Hat Insights proxy 1.5",
    "release_date" : "2026-04-22T00:00:00Z",
    "advisory" : "RHSA-2026:9832",
    "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9",
    "package" : "insights-proxy/insights-proxy-container-rhel9:1776868961"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10065",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:1776868774"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10065",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/haproxy-rhel9:1776868744"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10065",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-rhel9:1776868772"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-23T00:00:00Z",
    "advisory" : "RHSA-2026:10065",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:1776868842"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-29T00:00:00Z",
    "advisory" : "RHSA-2026:11768",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-kubernetes-tp-rhel9:1777459441"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-29T00:00:00Z",
    "advisory" : "RHSA-2026:11768",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-tp-rhel9:1777454300"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-04-29T00:00:00Z",
    "advisory" : "RHSA-2026:11768",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-tp-rhel9:1777459504"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Under investigation",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Under investigation",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-5121\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5121\nhttps://github.com/advisories/GHSA-2vwv-vqpv-v8vc\nhttps://github.com/libarchive/libarchive/pull/2934" ],
  "name" : "CVE-2026-5121",
  "mitigation" : {
    "value" : "To mitigate this issue, avoid processing untrusted ISO9660 images with applications that utilize `libarchive`. Users should only extract or read content from ISO images obtained from trusted sources.",
    "lang" : "en:us"
  },
  "csaw" : false
}