Vulnetix
Try Vulnetix Request Demo
ESB-2026.3303 PUBLISHED CVSS 7.800000190734863 HIGH

=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2026.3303 USN-8147-1: libarchive vulnerabilities 7 April 2026 =========================================================================== AUSCERT Security Bulletin Summary --------------------------------- Product: libarchive Publisher: Ubuntu Operating System: Ubuntu Resolution: Patch/Upgrade CVE Names: CVE-2025-25724 CVE-2025-60753 CVE-2019-19221 CVE-2026-4111 CVE-2024-20696 CVE-2025-5914 CVE-2025-5916 CVE-2025-5917 CVE-2025-5918 Original Bulletin: https://ubuntu.com/security/notices/USN-8147-1 Comment: CVSS (Max): 7.8 CVE-2025-5914 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Ubuntu Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS (Max): 7.2% (91st) CVE-2024-20696 2026-04-06 - --------------------------BEGIN INCLUDED TEXT-------------------- USN-8147-1: libarchive vulnerabilities Publication date 2 April 2026 Overview Several security issues were fixed in libarchive. Releases 25.10 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS 14.04 LTS --------------------------------------------------------------------------------- Open side navigation Packages o libarchive - Library to read/write archive files Details It was discovered that libarchive incorrectly handled certain archive files. An attacker could possibly use this issue to access sensitive information. This issue only affected Ubuntu 14.04 LTS. ( CVE-2019-19221 ) It was discovered that libarchive incorrectly handled certain RAR archive files. If a user or automated system were tricked into processing a specially crafted RAR archive, an attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. ( CVE-2024-20696 ) It was discovered that libarchive incorrectly handled certain RAR archive files. An attacker could possibly use this issue to execute arbitrary code or cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2025-5914 ) It was discovered that libarchive incorrectly handled certain WARC archive files. If a user or automated system were tricked into processing a specially crafted WARC archive, an attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2025-5916 ) It was discovered that libarchive incorrectly handled certain file names when handling prefixes and suffixes. An attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. ( CVE-2025-5917 ) It was discovered that libarchive could read past the end of file streams when processing input to bsdtar. An attacker could possibly use this issue to cause memory corruption or a denial of service. ( CVE-2025-5918 ) It was discovered that libarchive incorrectly handled certain TAR archive files. If a user or automated system were tricked into processing a specially crafted TAR archive, an attacker could possibly use this issue to cause libarchive to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. ( CVE-2025-25724 ) HyungJung Joo discovered that libarchive did not properly limit memory allocation when processing substitution rules in bsdtar. An attacker could possibly use this issue to cause excessive memory consumption, leading to a denial of service. ( CVE-2025-60753 ) Elhanan Haenel discovered that libarchive could enter an infinite loop when processing crafted RAR5 archives. An attacker could possibly use this issue to cause excessive CPU consumption, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. ( CVE-2026-4111 ) --------------------------------------------------------------------------------- Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu Package Version Release 25.10 libarchive-dev - 3.7.7-0ubuntu3.1 questing libarchive-tools - 3.7.7-0ubuntu3.1 libarchive13t64 - 3.7.7-0ubuntu3.1 24.04 LTS libarchive-dev - 3.7.2-2ubuntu0.6 noble libarchive-tools - 3.7.2-2ubuntu0.6 libarchive13t64 - 3.7.2-2ubuntu0.6 22.04 LTS libarchive-dev - 3.6.0-1ubuntu1.6 jammy libarchive-tools - 3.6.0-1ubuntu1.6 libarchive13 - 3.6.0-1ubuntu1.6 libarchive-dev - 3.4.0-2ubuntu1.5+esm1 Ubuntu Pro Fix available with Ubuntu Pro . 20.04 LTS libarchive-tools - 3.4.0-2ubuntu1.5+esm1 Ubuntu Pro Fix available focal with Ubuntu Pro . libarchive13 - 3.4.0-2ubuntu1.5+esm1 Ubuntu Pro Fix available with Ubuntu Pro . bsdcpio - 3.2.2-3.1ubuntu0.7+esm2 Ubuntu Pro Fix available with Ubuntu Pro . bsdtar - 3.2.2-3.1ubuntu0.7+esm2 Ubuntu Pro Fix available with Ubuntu Pro . 18.04 LTS libarchive-dev - 3.2.2-3.1ubuntu0.7+esm2 Ubuntu Pro Fix available bionic with Ubuntu Pro . libarchive-tools - 3.2.2-3.1ubuntu0.7+esm2 Ubuntu Pro Fix available with Ubuntu Pro . libarchive13 - 3.2.2-3.1ubuntu0.7+esm2 Ubuntu Pro Fix available with Ubuntu Pro . bsdcpio - 3.1.2-11ubuntu0.16.04.8+esm2 Ubuntu Pro Fix available with Ubuntu Pro . bsdtar - 3.1.2-11ubuntu0.16.04.8+esm2 Ubuntu Pro Fix available with 16.04 LTS Ubuntu Pro . xenial libarchive-dev - 3.1.2-11ubuntu0.16.04.8+esm2 Ubuntu Pro Fix available with Ubuntu Pro . libarchive13 - 3.1.2-11ubuntu0.16.04.8+esm2 Ubuntu Pro Fix available with Ubuntu Pro . bsdcpio - 3.1.2-7ubuntu2.8+esm4 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. bsdtar - 3.1.2-7ubuntu2.8+esm4 Ubuntu Pro Fix available with Ubuntu 14.04 LTS Pro via Legacy Support add-on. trusty libarchive-dev - 3.1.2-7ubuntu2.8+esm4 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. libarchive13 - 3.1.2-7ubuntu2.8+esm4 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. --------------------------------------------------------------------------------- References o CVE-2026-4111 o CVE-2025-60753 o CVE-2025-5918 o CVE-2025-5917 o CVE-2025-5916 o CVE-2025-5914 o CVE-2025-25724 o CVE-2024-20696 o CVE-2019-19221 Related notices o USN-7601-1 o USN-7454-1 o USN-7087-1 o USN-4293-1 - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AUSCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AUSCERT's members. As AUSCERT did not write the document quoted above, AUSCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AUSCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://portal.auscert.org.au/bulletins/ =========================================================================== AUSCERT The University of Queensland, Brisbane QLD 4072 Australia e: auscert@auscert.org.au t: +61 (0)7 3365 4417 Allies in Cyber Security ===========================================================================

Risk Scores

CVSS v3.1
7.800000190734863
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Ubuntulibarchive

Timeline

References

Open in Interactive Console →