Bug 2407258 (CVE-2025-58183)

Summary: CVE-2025-58183 golang: archive/tar: Unbounded allocation when parsing GNU sparse map
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abarbaro, akostadi, alcohan, alizardo, amasferr, amctagga, anjoseph, anpicker, ansmith, aoconnor, asatyam, bbrownin, bdettelb, bniver, bparees, brainfor, dhanak, diagrawa, dmayorov, doconnor, drosa, dsimansk, dymurray, eglynn, fdeutsch, flucifre, gmeno, gparvin, groman, hasun, ibolton, jbalunas, jcantril, jchui, jfula, jhe, jjoyce, jkoehler, jlledo, jmatthew, jmontleo, jowilson, jprabhak, jschluet, kingland, ktsao, kverlaen, lball, lchilton, ldai, lgamliel, lhh, lphiri, lsharar, lsvaty, lucarval, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mwringe, nboldt, ngough, nyancey, ometelka, oramraz, owatkins, pahickey, pantinor, peholase, pgaikwad, pgrist, pjindal, psrna, ptisnovs, rfreiman, rhaigner, rjohnson, rojacob, sabiswas, sausingh, sdawley, sfeifer, slucidi, smullick, sostapov, sseago, stirabos, syedriko, teagle, thason, tsedmik, vereddy, veshanka, whayutin, wtam, xdharmai
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the archive/tar package in the Go standard library. tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A specially crafted tar archive with a pax header indicating a big number of sparse regions can cause a Go program to try to allocate a large amount of memory, causing an out-of-memory condition and resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2408921, 2408923, 2408925, 2408927, 2412476, 2412478, 2412479, 2412481, 2412482, 2412483, 2412485, 2412487, 2412488, 2412489, 2412490, 2412494, 2412497, 2412498, 2412499, 2412584, 2412585, 2412586, 2412591, 2412592, 2412594, 2412595, 2412597, 2412598, 2412602, 2412603, 2412604, 2412606, 2412607, 2412608, 2412609, 2412610, 2412612, 2412666, 2412670, 2412673, 2412674, 2412675, 2412679, 2412680, 2412683, 2412685, 2412686, 2412687, 2412690, 2412691, 2412692, 2412693, 2412694, 2412696, 2412697, 2412698, 2412700, 2412701, 2412702, 2412703, 2412704, 2412705, 2412707, 2412708, 2412709, 2412710, 2412711, 2412712, 2412713, 2412745, 2412746, 2412748, 2412749, 2412752, 2412753, 2412754, 2412755, 2412759, 2412760, 2412763, 2412765, 2412766, 2412767, 2412768, 2412769, 2412770, 2412771, 2412772, 2412773, 2412774, 2412775, 2412776, 2412777, 2412778, 2412779, 2412781, 2412782, 2412783, 2412784, 2412785, 2412786, 2412787, 2412789, 2412790, 2412791, 2412792, 2412794, 2412795, 2412796, 2412798, 2412799, 2412800, 2412801, 2412806, 2412807, 2412808, 2412810, 2412811, 2412813, 2412814, 2412815, 2412819, 2412820, 2412821, 2412822, 2412823, 2412824, 2412826, 2408915, 2408917, 2408919, 2412477, 2412480, 2412484, 2412486, 2412491, 2412492, 2412493, 2412495, 2412496, 2412509, 2412510, 2412511, 2412513, 2412514, 2412515, 2412516, 2412517, 2412518, 2412519, 2412520, 2412521, 2412522, 2412523, 2412524, 2412525, 2412526, 2412527, 2412528, 2412529, 2412530, 2412531, 2412532, 2412533, 2412534, 2412535, 2412536, 2412537, 2412538, 2412539, 2412540, 2412541, 2412542, 2412543, 2412544, 2412545, 2412546, 2412547, 2412548, 2412549, 2412550, 2412551, 2412552, 2412553, 2412554, 2412555, 2412556, 2412557, 2412558, 2412559, 2412560, 2412561, 2412562, 2412563, 2412564, 2412565, 2412566, 2412567, 2412568, 2412569, 2412570, 2412571, 2412572, 2412573, 2412574, 2412575, 2412576, 2412577, 2412578, 2412579, 2412580, 2412581, 2412582, 2412583, 2412587, 2412588, 2412589, 2412590, 2412593, 2412596, 2412599, 2412600, 2412601, 2412605, 2412611, 2412613, 2412647, 2412653, 2412654, 2412656, 2412657, 2412658, 2412659, 2412660, 2412661, 2412662, 2412663, 2412664, 2412665, 2412667, 2412668, 2412669, 2412671, 2412672, 2412676, 2412677, 2412678, 2412681, 2412682, 2412684, 2412688, 2412689, 2412699, 2412706, 2412744, 2412747, 2412750, 2412751, 2412756, 2412757, 2412758, 2412761, 2412762, 2412764, 2412780, 2412788, 2412797, 2412802, 2412803, 2412804, 2412805, 2412809, 2412812, 2412816, 2412817, 2412818, 2412825, 2412848, 2412850, 2412853    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-29 23:02:14 UTC 
tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.
Comment 2 errata-xmlrpc 2025-11-20 00:17:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:21779 https://access.redhat.com/errata/RHSA-2025:21779
Comment 3 errata-xmlrpc 2025-11-20 00:28:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21778 https://access.redhat.com/errata/RHSA-2025:21778
Comment 4 errata-xmlrpc 2025-11-20 06:18:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21816 https://access.redhat.com/errata/RHSA-2025:21816
Comment 5 errata-xmlrpc 2025-11-20 06:28:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21815 https://access.redhat.com/errata/RHSA-2025:21815
Comment 6 errata-xmlrpc 2025-11-20 15:42:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:21856 https://access.redhat.com/errata/RHSA-2025:21856
Comment 7 errata-xmlrpc 2025-11-24 14:54:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:21964 https://access.redhat.com/errata/RHSA-2025:21964
Comment 8 errata-xmlrpc 2025-11-25 04:58:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:22012 https://access.redhat.com/errata/RHSA-2025:22012
Comment 9 errata-xmlrpc 2025-11-25 05:17:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:22011 https://access.redhat.com/errata/RHSA-2025:22011
Comment 10 errata-xmlrpc 2025-11-25 07:55:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:22030 https://access.redhat.com/errata/RHSA-2025:22030
Comment 11 errata-xmlrpc 2025-11-26 15:02:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:22181 https://access.redhat.com/errata/RHSA-2025:22181
Comment 12 errata-xmlrpc 2025-12-02 14:39:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.20

Via RHSA-2025:22255 https://access.redhat.com/errata/RHSA-2025:22255
Comment 13 errata-xmlrpc 2025-12-03 14:49:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:22668 https://access.redhat.com/errata/RHSA-2025:22668
Comment 14 errata-xmlrpc 2025-12-09 08:00:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:22899 https://access.redhat.com/errata/RHSA-2025:22899
Comment 15 errata-xmlrpc 2025-12-10 00:31:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:23001 https://access.redhat.com/errata/RHSA-2025:23001
Comment 16 errata-xmlrpc 2025-12-10 01:06:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:23002 https://access.redhat.com/errata/RHSA-2025:23002
Comment 17 errata-xmlrpc 2025-12-11 00:25:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:23088 https://access.redhat.com/errata/RHSA-2025:23088
Comment 18 errata-xmlrpc 2025-12-11 00:54:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:23087 https://access.redhat.com/errata/RHSA-2025:23087
Comment 19 errata-xmlrpc 2025-12-18 10:03:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:23347 https://access.redhat.com/errata/RHSA-2025:23347
Comment 20 errata-xmlrpc 2025-12-18 10:03:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2025:23348 https://access.redhat.com/errata/RHSA-2025:23348
Comment 21 errata-xmlrpc 2025-12-18 10:04:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:23294 https://access.redhat.com/errata/RHSA-2025:23294
Comment 22 errata-xmlrpc 2025-12-18 10:04:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:23295 https://access.redhat.com/errata/RHSA-2025:23295
Comment 23 errata-xmlrpc 2025-12-18 11:56:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:23374 https://access.redhat.com/errata/RHSA-2025:23374
Comment 24 errata-xmlrpc 2025-12-18 12:12:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2025:23394 https://access.redhat.com/errata/RHSA-2025:23394
Comment 25 errata-xmlrpc 2025-12-18 12:21:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:23325 https://access.redhat.com/errata/RHSA-2025:23325
Comment 26 errata-xmlrpc 2025-12-18 12:22:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:23326 https://access.redhat.com/errata/RHSA-2025:23326
Comment 27 errata-xmlrpc 2025-12-22 01:16:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:23740 https://access.redhat.com/errata/RHSA-2025:23740
Comment 28 errata-xmlrpc 2025-12-22 01:26:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:23736 https://access.redhat.com/errata/RHSA-2025:23736
Comment 29 errata-xmlrpc 2025-12-22 01:30:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:23733 https://access.redhat.com/errata/RHSA-2025:23733
Comment 30 errata-xmlrpc 2025-12-22 01:31:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:23741 https://access.redhat.com/errata/RHSA-2025:23741
Comment 31 errata-xmlrpc 2025-12-22 01:36:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:23746 https://access.redhat.com/errata/RHSA-2025:23746
Comment 32 errata-xmlrpc 2025-12-22 01:38:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:23747 https://access.redhat.com/errata/RHSA-2025:23747
Comment 33 errata-xmlrpc 2025-12-22 01:38:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:23737 https://access.redhat.com/errata/RHSA-2025:23737
Comment 35 errata-xmlrpc 2025-12-22 17:01:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:23948 https://access.redhat.com/errata/RHSA-2025:23948
Comment 36 errata-xmlrpc 2026-01-07 11:28:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:0227 https://access.redhat.com/errata/RHSA-2026:0227
Comment 37 errata-xmlrpc 2026-01-07 12:40:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0226 https://access.redhat.com/errata/RHSA-2026:0226
Comment 38 errata-xmlrpc 2026-01-07 14:35:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:0244 https://access.redhat.com/errata/RHSA-2026:0244
Comment 39 errata-xmlrpc 2026-01-07 14:40:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:0243 https://access.redhat.com/errata/RHSA-2026:0243
Comment 40 errata-xmlrpc 2026-01-07 14:41:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:0246 https://access.redhat.com/errata/RHSA-2026:0246
Comment 41 errata-xmlrpc 2026-01-07 14:41:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:0245 https://access.redhat.com/errata/RHSA-2026:0245
Comment 42 errata-xmlrpc 2026-01-08 11:31:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0314 https://access.redhat.com/errata/RHSA-2026:0314
Comment 43 errata-xmlrpc 2026-01-12 02:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0424 https://access.redhat.com/errata/RHSA-2026:0424
Comment 44 errata-xmlrpc 2026-01-12 03:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0426 https://access.redhat.com/errata/RHSA-2026:0426
Comment 45 errata-xmlrpc 2026-01-12 19:57:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0477 https://access.redhat.com/errata/RHSA-2026:0477
Comment 46 errata-xmlrpc 2026-01-22 05:29:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:0973 https://access.redhat.com/errata/RHSA-2026:0973
Comment 47 errata-xmlrpc 2026-01-22 11:26:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:0987 https://access.redhat.com/errata/RHSA-2026:0987
Comment 48 errata-xmlrpc 2026-01-22 16:40:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:1025 https://access.redhat.com/errata/RHSA-2026:1025
Comment 49 errata-xmlrpc 2026-01-27 15:33:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1378 https://access.redhat.com/errata/RHSA-2026:1378
Comment 50 errata-xmlrpc 2026-01-27 15:55:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:1380 https://access.redhat.com/errata/RHSA-2026:1380
Comment 51 errata-xmlrpc 2026-01-27 16:05:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1379 https://access.redhat.com/errata/RHSA-2026:1379
Comment 52 errata-xmlrpc 2026-01-27 16:22:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1381 https://access.redhat.com/errata/RHSA-2026:1381
Comment 53 errata-xmlrpc 2026-01-27 16:25:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1377 https://access.redhat.com/errata/RHSA-2026:1377
Comment 55 errata-xmlrpc 2026-02-05 15:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1837 https://access.redhat.com/errata/RHSA-2026:1837
Comment 56 errata-xmlrpc 2026-02-05 15:58:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1838 https://access.redhat.com/errata/RHSA-2026:1838
Comment 57 errata-xmlrpc 2026-02-10 11:23:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.21

Via RHSA-2026:2082 https://access.redhat.com/errata/RHSA-2026:2082
Comment 58 errata-xmlrpc 2026-02-11 04:49:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:2071 https://access.redhat.com/errata/RHSA-2026:2071