CVE-2026-4426

MEDIUM EPSS 22.2%

Published Mar 19, 20263mo ago · Modified Jun 17, 20261w ago

6.5 CVSS 3.1

Medium

Published Mar 19, 2026 3mo ago

Last Modified Jun 17, 2026 1w ago

Description

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

CVSS Details

Base Score

6.5

Exploitability

2.8

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

22.2% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-1335

Affected Products 8

Vendor	Product	Version	Range
libarchive	libarchive	*	any
redhat	hardened_images	*	any
redhat	openshift_container_platform	4.0	any
redhat	enterprise_linux	6.0	any
redhat	enterprise_linux	7.0	any
redhat	enterprise_linux	8.0	any
redhat	enterprise_linux	9.0	any
redhat	enterprise_linux	10.0	any

References 4

access.redhat.com https://access.redhat.com/errata/RHSA-2026:8944
access.redhat.com https://access.redhat.com/security/cve/CVE-2026-4426

Third Party Advisory
bugzilla.redhat.com https://bugzilla.redhat.com/show_bug.cgi?id=2449010

Issue TrackingThird Party Advisory
github.com https://github.com/libarchive/libarchive/pull/2897

Issue TrackingPatch

Remediation

github.com https://github.com/libarchive/libarchive/pull/2897

Issue TrackingPatch