{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2026-4111: Fix infinite loop in RAR5 decompression caused by block_length\n exceeding half the window size, leading to CPU-consuming denial-of-service", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774375084", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774375084" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/advisories/2026/clsa-2026_1774375084.json" } ], "tracking": { "current_release_date": "2026-03-24T17:58:40Z", "generator": { "date": "2026-03-24T17:58:40Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1774375084", "initial_release_date": "2026-03-24T17:58:40Z", "revision_history": [ { "date": "2026-03-24T17:58:40Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "libarchive: Fix of CVE-2026-4111" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product": { "name": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_id": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive@3.5.3-6.el9_2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product": { "name": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_id": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive-devel@3.5.3-6.el9_2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product": { "name": "bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_id": "bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdcat@3.5.3-6.el9_2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product": { "name": "bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_id": "bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdcpio@3.5.3-6.el9_2.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product": { "name": "bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_id": "bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/bsdtar@3.5.3-6.el9_2.tuxcare.els2?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "product": { "name": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "product_id": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive@3.5.3-6.el9_2.tuxcare.els2?arch=i686" } } }, { "category": "product_version", "name": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "product": { "name": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "product_id": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/libarchive-devel@3.5.3-6.el9_2.tuxcare.els2?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" }, "product_reference": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686" }, "product_reference": "libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" }, "product_reference": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686" }, "product_reference": "libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" }, "product_reference": "bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" }, "product_reference": "bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" }, "product_reference": "bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-4111", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "AlmaLinux-9.2:bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2026-4111" } ], "release_date": "2026-03-11T00:00:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-03-24T17:58:07.069651Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1774375084", "product_ids": [ "AlmaLinux-9.2:bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1774375084" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "AlmaLinux-9.2:bsdcat-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:bsdcpio-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:bsdtar-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.i686", "AlmaLinux-9.2:libarchive-0:3.5.3-6.el9_2.tuxcare.els2.x86_64", "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.i686", "AlmaLinux-9.2:libarchive-devel-0:3.5.3-6.el9_2.tuxcare.els2.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ] } ] }