Libarchive security update (CVE-2026-5121, CVE-2026-4424)
37829
06 July 2026
06 July 2026
CLOSED
HIGH
Varies
CVE-2026-5121, CVE-2026-4424
|
Brocade Security Advisory ID |
BSA-2026-3617 |
|
Component |
Libarchive |
|
|
|
Summary
CVE-2026-5121 - Title: Libarchive: libarchive: arbitrary code execution via integer overflow in iso9660 image processing
Description
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.
CWE-190: Integer Overflow or Wraparound
Base Score 7.5 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2026-4424 - Title: libarchive: information disclosure via heap out-of-bounds read in rar archive processing
Description
A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.
CWE-125: Out-of-bounds Read
Base Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Products Affected
- Brocade ASCG base OS (OVA Deployment) before 3.4.0c
Products Confirmed Not Affected
- Brocade ASCG
[VEX Justification: Vulnerable_code_not_in_execute_path] - Brocade Fabric OS
[VEX Justification: Vulnerable_code_not_in_execute_path] - Brocade SANNav standard deployment
[VEX Justification: Vulnerable_code_cannot_be_controlled_by_adversary]
Solution
- Security update provided in Brocade ASCG base OS (OVA Deployment) before 3.4.0c
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
7/1/2026 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.