Source: libarchive
Version: 3.8.7-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/libarchive/libarchive/issues/3069
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for libarchive.

CVE-2026-14164[0]:
| A double free issue has been identified in libarchive's RAR5 reader.
| During parsing of a specially crafted RAR5 archive, the filtered_buf
| pointer may remain stale after being freed during unpacking state
| reinitialization. Subsequent processing of another archive entry can
| trigger a second free of the same memory region, resulting in a
| double-free condition. Successful exploitation may cause
| applications using the vulnerable libarchive API to terminate
| unexpectedly, leading to a denial of service.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-14164
    https://www.cve.org/CVERecord?id=CVE-2026-14164
[1] https://github.com/libarchive/libarchive/issues/3069
[2] https://github.com/libarchive/libarchive/pull/3071
[3] 
https://github.com/libarchive/libarchive/commit/1c914cdfef533cbee1ae3aa21a89ba02ed4d5f61

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply via email to