Bug 2446453 (CVE-2026-4111)

Summary: CVE-2026-4111 libarchive: Infinite Loop Denial of Service in RAR5 Decompression via archive_read_data() in libarchive
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2448050, 2448051, 2448049    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-11 11:27:56 UTC 
An Infinite Loop Denial-of-Service vulnerability exists in the RAR5 decompression implementation of libarchive. The flaw occurs in the uncompress_file() routine within archive_read_support_format_rar5.c due to a logical deadlock between the filter activation threshold and the half-window output limiter. When a specially crafted RAR5 archive is processed through archive_read_data(), the decompressor enters a state where neither the filter activation condition nor the output window progress condition can be satisfied. As a result, the loop continues indefinitely while consuming 100% CPU. Because the archive passes all CRC and checksum validation, the issue can be triggered using a valid-looking archive without authentication or user interaction. This allows attackers to exhaust worker threads or processing pipelines in applications that automatically extract or scan archives.
Comment 2 errata-xmlrpc 2026-03-19 08:08:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:5063 https://access.redhat.com/errata/RHSA-2026:5063
Comment 3 errata-xmlrpc 2026-03-19 11:39:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:5080 https://access.redhat.com/errata/RHSA-2026:5080
Comment 4 errata-xmlrpc 2026-04-02 16:17:31 UTC 
This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2026:6481 https://access.redhat.com/errata/RHSA-2026:6481
Comment 5 errata-xmlrpc 2026-04-06 09:20:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:6647 https://access.redhat.com/errata/RHSA-2026:6647
Comment 6 errata-xmlrpc 2026-04-08 14:24:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:7093 https://access.redhat.com/errata/RHSA-2026:7093
Comment 7 errata-xmlrpc 2026-04-08 16:36:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:7105 https://access.redhat.com/errata/RHSA-2026:7105
Comment 8 errata-xmlrpc 2026-04-08 16:41:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:7106 https://access.redhat.com/errata/RHSA-2026:7106
Comment 9 errata-xmlrpc 2026-04-16 10:24:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2026:7239 https://access.redhat.com/errata/RHSA-2026:7239
Comment 10 errata-xmlrpc 2026-04-20 02:49:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:8865 https://access.redhat.com/errata/RHSA-2026:8865
Comment 11 errata-xmlrpc 2026-04-22 08:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2026:8423 https://access.redhat.com/errata/RHSA-2026:8423
Comment 14 errata-xmlrpc 2026-04-29 08:53:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.19

Via RHSA-2026:10081 https://access.redhat.com/errata/RHSA-2026:10081
Comment 15 errata-xmlrpc 2026-04-30 12:10:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2026:10097 https://access.redhat.com/errata/RHSA-2026:10097
Comment 18 errata-xmlrpc 2026-05-13 13:55:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2026:15087 https://access.redhat.com/errata/RHSA-2026:15087
Comment 19 errata-xmlrpc 2026-05-13 14:16:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2026:14773 https://access.redhat.com/errata/RHSA-2026:14773