Bug 2282521 (CVE-2024-26256) - CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
Summary: CVE-2024-26256 libarchive: Heap based buffer overflow in rar e8 filter
Status: NEW
Alias: CVE-2024-26256
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Product Security
QA Contact:
: 2290446 (view as bug list)
Depends On: 2282530 2282531 2282527 2282528 2282529
Blocks: 2282522 CVE-2024-20697
TreeView+ depends on / blocked
Reported: 2024-05-22 13:54 UTC by Zack Miele
Modified: 2024-06-06 13:57 UTC (History)
37 users (show)

Fixed In Version: libarchive 3.7.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the libarchive library. A heap-based buffer overflow in the execute_filter_e8 function in the libarchive/archive_read_support_format_rar.c file can be triggered when a specially crafted RAR archive is processed, causing a crash to the application linked to the library, and resulting in a denial of service.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Zack Miele 2024-05-22 13:54:34 UTC
A heap-based buffer overflow flaw was found in the rar e8 filter in libarchive. An attacker could trick a user into opening a specially crafted rar archive to induce a denial of service or arbitrary code execution in the context of the application using libarchive.


Upstream patch:

Comment 1 Zack Miele 2024-05-22 14:06:18 UTC
Created cmake3 tracking bugs for this issue:

Affects: epel-7 [bug 2282528]

Created libarchive tracking bugs for this issue:

Affects: fedora-39 [bug 2282529]
Affects: fedora-40 [bug 2282527]

Created mingw-libarchive tracking bugs for this issue:

Affects: fedora-39 [bug 2282530]
Affects: fedora-40 [bug 2282531]

Comment 5 Lukas Javorsky 2024-06-06 07:08:51 UTC
*** Bug 2290446 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.