Description
A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.
Product status
3.8.8-2.1.hum1 (rpm) before *
Timeline
| 2026-07-08: | Reported to Red Hat. |
| 2026-07-08: | Made public. |
References
access.redhat.com/errata/RHSA-2026:38279 (RHSA-2026:38279)
access.redhat.com/security/cve/CVE-2026-15028
bugzilla.redhat.com/show_bug.cgi?id=2497970 (RHBZ#2497970)
github.com/libarchive/libarchive/issues/3251
github.com/libarchive/libarchive/pull/3253