Bug 2446453 (CVE-2026-4111)

Summary: CVE-2026-4111 libarchive: Infinite Loop Denial of Service in RAR5 Decompression via archive_read_data() in libarchive
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2448049, 2448050, 2448051    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-11 11:27:56 UTC 
An Infinite Loop Denial-of-Service vulnerability exists in the RAR5 decompression implementation of libarchive. The flaw occurs in the uncompress_file() routine within archive_read_support_format_rar5.c due to a logical deadlock between the filter activation threshold and the half-window output limiter. When a specially crafted RAR5 archive is processed through archive_read_data(), the decompressor enters a state where neither the filter activation condition nor the output window progress condition can be satisfied. As a result, the loop continues indefinitely while consuming 100% CPU. Because the archive passes all CRC and checksum validation, the issue can be triggered using a valid-looking archive without authentication or user interaction. This allows attackers to exhaust worker threads or processing pipelines in applications that automatically extract or scan archives.
Comment 2 errata-xmlrpc 2026-03-19 08:08:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:5063 https://access.redhat.com/errata/RHSA-2026:5063
Comment 3 errata-xmlrpc 2026-03-19 11:39:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:5080 https://access.redhat.com/errata/RHSA-2026:5080