Home

Description

A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.

PUBLISHED Reserved 2026-07-08 | Published 2026-07-10 | Updated 2026-07-13 | Assigner redhat




LOW: 3.9CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Product status

Default status
affected

3.8.8-2.1.hum1 (rpm) before *
unaffected

Default status
affected

Default status
unknown

Default status
unknown

Default status
affected

Default status
affected

Default status
unknown

Timeline

2026-07-08:Reported to Red Hat.
2026-07-08:Made public.

References

access.redhat.com/errata/RHSA-2026:38279 (RHSA-2026:38279) vendor-advisory

access.redhat.com/security/cve/CVE-2026-15028 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2497970 (RHBZ#2497970) issue-tracking

github.com/libarchive/libarchive/issues/3251

github.com/libarchive/libarchive/pull/3253

cve.org (CVE-2026-15028)

nvd.nist.gov (CVE-2026-15028)

Download JSON