{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4111", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-13T11:33:42.645Z", "datePublished": "2026-03-13T11:45:20.653Z", "dateUpdated": "2026-06-10T17:33:56.419Z"}, "containers": {"cna": {"title": "Libarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchive", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.7.7-5.el10_1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:10.1"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.7.7-5.el10_0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux_eus:10.0"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-7.el9_7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-7.el9_7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-2.el9_0.3", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream", "cpe:/o:redhat:rhel_e4s:9.0::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-5.el9_2.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_e4s:9.2::appstream", "cpe:/o:redhat:rhel_e4s:9.2::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-4.el9_4.2", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream", "cpe:/a:redhat:rhel_eus:9.4::crb", "cpe:/o:redhat:rhel_eus:9.4::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "affected", "versions": [{"version": "0:3.5.3-6.el9_6.1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.6::appstream", "cpe:/o:redhat:rhel_eus:9.6::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "413.92.202604080111-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.13::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "414.92.202605060243-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.14::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "415.92.202605060220-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.15::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "416.94.202604211449-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.16::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.17", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "417.94.202605112123-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.17::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.18", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "418.94.202604140044-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.18::el9"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.19", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "versions": [{"version": "4.19.9.6.202604211219-0", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:openshift:4.19::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/model-opt-cuda-rhel9", "defaultStatus": "affected", "versions": [{"version": "1780681984", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/vllm-cuda-rhel9", "defaultStatus": "affected", "versions": [{"version": "1775740563", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/model-opt-cuda-rhel9", "defaultStatus": "affected", "versions": [{"version": "1778244559", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/vllm-rocm-rhel9", "defaultStatus": "affected", "versions": [{"version": "1778244531", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/vllm-spyre-rhel9", "defaultStatus": "affected", "versions": [{"version": "1778244546", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/vllm-cuda-rhel9", "defaultStatus": "affected", "versions": [{"version": "1775680192", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/vllm-rocm-rhel9", "defaultStatus": "affected", "versions": [{"version": "1775680262", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"]}, {"vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhaiis/model-opt-cuda-rhel9", "defaultStatus": "affected", "versions": [{"version": "1775749857", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Discovery 2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "discovery/discovery-server-rhel9", "defaultStatus": "affected", "versions": [{"version": "1775668717", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:discovery:2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Discovery 2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "discovery/discovery-ui-rhel9", "defaultStatus": "affected", "versions": [{"version": "1775675922", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:discovery:2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Hardened Images", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "libarchive-main", "defaultStatus": "affected", "versions": [{"version": "3.8.7-1.hum1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:hummingbird:1"]}, {"vendor": "Red Hat", "product": "Red Hat Insights proxy 1.5", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "insights-proxy/insights-proxy-container-rhel9", "defaultStatus": "affected", "versions": [{"version": "1776868961", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:insights_proxy:1.5::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhui5/cds-rhel9", "defaultStatus": "affected", "versions": [{"version": "1776868774", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhui:5::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhui5/haproxy-rhel9", "defaultStatus": "affected", "versions": [{"version": "1776868744", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhui:5::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhui5/installer-rhel9", "defaultStatus": "affected", "versions": [{"version": "1776868772", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhui:5::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhui5/rhua-rhel9", "defaultStatus": "affected", "versions": [{"version": "1776868842", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhui:5::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libarchive", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:10065", "name": "RHSA-2026:10065", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:10081", "name": "RHSA-2026:10081", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:10097", "name": "RHSA-2026:10097", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:14773", "name": "RHSA-2026:14773", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:15087", "name": "RHSA-2026:15087", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:16008", "name": "RHSA-2026:16008", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:16009", "name": "RHSA-2026:16009", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:16174", "name": "RHSA-2026:16174", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:17596", "name": "RHSA-2026:17596", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:25096", "name": "RHSA-2026:25096", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:5063", "name": "RHSA-2026:5063", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:5080", "name": "RHSA-2026:5080", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6647", "name": "RHSA-2026:6647", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7093", "name": "RHSA-2026:7093", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7105", "name": "RHSA-2026:7105", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7106", "name": "RHSA-2026:7106", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7239", "name": "RHSA-2026:7239", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7329", "name": "RHSA-2026:7329", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7335", "name": "RHSA-2026:7335", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8423", "name": "RHSA-2026:8423", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8746", "name": "RHSA-2026:8746", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8747", "name": "RHSA-2026:8747", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8748", "name": "RHSA-2026:8748", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8865", "name": "RHSA-2026:8865", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8944", "name": "RHSA-2026:8944", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:9832", "name": "RHSA-2026:9832", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4111", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446453", "name": "RHBZ#2446453", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/libarchive/libarchive/pull/2877"}], "datePublic": "2026-03-11T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "Loop with Unreachable Exit Condition ('Infinite Loop')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2026-03-11T11:18:51.609Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Elhanan Haenel for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-10T17:33:56.419Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T13:36:13.170394Z", "id": "CVE-2026-4111", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T13:36:18.676Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4111", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T13:36:13.170394Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T13:36:15.741Z"}}], "cna": {"title": "Libarchive: infinite loop denial of service in rar5 decompression via archive_read_data() in libarchive", "credits": [{"lang": "en", "value": "Red Hat would like to thank Elhanan Haenel for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10.1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "versions": [{"status": "unaffected", "version": "0:3.7.7-5.el10_1", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux_eus:10.0"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10.0 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:3.7.7-5.el10_0", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:3.5.3-7.el9_7", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:3.5.3-7.el9_7", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.0::appstream", "cpe:/o:redhat:rhel_e4s:9.0::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:3.5.3-2.el9_0.3", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_e4s:9.2::appstream", "cpe:/o:redhat:rhel_e4s:9.2::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "versions": [{"status": "unaffected", "version": "0:3.5.3-5.el9_2.1", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.4::appstream", "cpe:/a:redhat:rhel_eus:9.4::crb", "cpe:/o:redhat:rhel_eus:9.4::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.4 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:3.5.3-4.el9_4.2", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.6::appstream", "cpe:/o:redhat:rhel_eus:9.6::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.6 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:3.5.3-6.el9_6.1", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.13::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.13", "versions": [{"status": "unaffected", "version": "413.92.202604080111-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.14::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.14", "versions": [{"status": "unaffected", "version": "414.92.202605060243-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.15::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.15", "versions": [{"status": "unaffected", "version": "415.92.202605060220-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.16::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.16", "versions": [{"status": "unaffected", "version": "416.94.202604211449-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.17::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.17", "versions": [{"status": "unaffected", "version": "417.94.202605112123-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.18::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.18", "versions": [{"status": "unaffected", "version": "418.94.202604140044-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4.19::el9"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4.19", "versions": [{"status": "unaffected", "version": "4.19.9.6.202604211219-0", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.2::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.2", "versions": [{"status": "unaffected", "version": "1780681984", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/model-opt-cuda-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.2::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.2", "versions": [{"status": "unaffected", "version": "1775740563", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/vllm-cuda-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "versions": [{"status": "unaffected", "version": "1778244559", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/model-opt-cuda-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "versions": [{"status": "unaffected", "version": "1778244531", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/vllm-rocm-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "versions": [{"status": "unaffected", "version": "1778244546", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/vllm-spyre-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "versions": [{"status": "unaffected", "version": "1775680192", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/vllm-cuda-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "versions": [{"status": "unaffected", "version": "1775680262", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/vllm-rocm-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ai_inference_server:3.3::el9"], "vendor": "Red Hat", "product": "Red Hat AI Inference Server 3.3", "versions": [{"status": "unaffected", "version": "1775749857", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhaiis/model-opt-cuda-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:discovery:2::el9"], "vendor": "Red Hat", "product": "Red Hat Discovery 2", "versions": [{"status": "unaffected", "version": "1775668717", "lessThan": "*", "versionType": "rpm"}], "packageName": "discovery/discovery-server-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:discovery:2::el9"], "vendor": "Red Hat", "product": "Red Hat Discovery 2", "versions": [{"status": "unaffected", "version": "1775675922", "lessThan": "*", "versionType": "rpm"}], "packageName": "discovery/discovery-ui-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:hummingbird:1"], "vendor": "Red Hat", "product": "Red Hat Hardened Images", "versions": [{"status": "unaffected", "version": "3.8.7-1.hum1", "lessThan": "*", "versionType": "rpm"}], "packageName": "libarchive-main", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:insights_proxy:1.5::el9"], "vendor": "Red Hat", "product": "Red Hat Insights proxy 1.5", "versions": [{"status": "unaffected", "version": "1776868961", "lessThan": "*", "versionType": "rpm"}], "packageName": "insights-proxy/insights-proxy-container-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhui:5::el9"], "vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "versions": [{"status": "unaffected", "version": "1776868774", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhui5/cds-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhui:5::el9"], "vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "versions": [{"status": "unaffected", "version": "1776868744", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhui5/haproxy-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhui:5::el9"], "vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "versions": [{"status": "unaffected", "version": "1776868772", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhui5/installer-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhui:5::el9"], "vendor": "Red Hat", "product": "Red Hat Update Infrastructure 5", "versions": [{"status": "unaffected", "version": "1776868842", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhui5/rhua-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "libarchive", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-11T11:18:51.609Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-11T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-03-11T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:10065", "name": "RHSA-2026:10065", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:10081", "name": "RHSA-2026:10081", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:10097", "name": "RHSA-2026:10097", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:14773", "name": "RHSA-2026:14773", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:15087", "name": "RHSA-2026:15087", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:16008", "name": "RHSA-2026:16008", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:16009", "name": "RHSA-2026:16009", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:16174", "name": "RHSA-2026:16174", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:17596", "name": "RHSA-2026:17596", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:25096", "name": "RHSA-2026:25096", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:5063", "name": "RHSA-2026:5063", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:5080", "name": "RHSA-2026:5080", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6647", "name": "RHSA-2026:6647", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7093", "name": "RHSA-2026:7093", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7105", "name": "RHSA-2026:7105", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7106", "name": "RHSA-2026:7106", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7239", "name": "RHSA-2026:7239", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7329", "name": "RHSA-2026:7329", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:7335", "name": "RHSA-2026:7335", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8423", "name": "RHSA-2026:8423", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8746", "name": "RHSA-2026:8746", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8747", "name": "RHSA-2026:8747", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8748", "name": "RHSA-2026:8748", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8865", "name": "RHSA-2026:8865", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:8944", "name": "RHSA-2026:8944", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:9832", "name": "RHSA-2026:9832", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4111", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446453", "name": "RHBZ#2446453", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/libarchive/libarchive/pull/2877"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-10T17:33:56.419Z"}, "x_redhatCweChain": "CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')"}}, "cveMetadata": {"cveId": "CVE-2026-4111", "state": "PUBLISHED", "dateUpdated": "2026-06-10T17:33:56.419Z", "dateReserved": "2026-03-13T11:33:42.645Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-03-13T11:45:20.653Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives."}, {"lang": "es", "value": "Se identific\u00f3 una vulnerabilidad en la l\u00f3gica de descompresi\u00f3n de archivos RAR5 de la biblioteca libarchive, espec\u00edficamente dentro de la ruta de procesamiento de archive_read_data(). Cuando se procesa un archivo RAR5 especialmente manipulado, la rutina de descompresi\u00f3n puede entrar en un estado en el que la l\u00f3gica interna impide el avance. Esta condici\u00f3n resulta en un bucle infinito que consume continuamente recursos de CPU. Debido a que el archivo pasa la validaci\u00f3n de suma de verificaci\u00f3n y parece estructuralmente v\u00e1lido, las aplicaciones afectadas no pueden detectar el problema antes del procesamiento. Esto puede permitir a los atacantes causar condiciones persistentes de denegaci\u00f3n de servicio en servicios que procesan archivos autom\u00e1ticamente."}], "id": "CVE-2026-4111", "lastModified": "2026-06-10T18:17:10.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-03-13T19:55:13.917", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:10065"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:10081"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:10097"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:14773"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:15087"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:16008"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:16009"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:16174"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:17596"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:25096"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:5063"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:5080"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6647"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:7093"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:7105"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:7106"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:7239"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:7329"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:7335"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:8423"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:8746"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:8747"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:8748"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:8865"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:8944"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:9832"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-4111"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446453"}, {"source": "secalert@redhat.com", "url": "https://github.com/libarchive/libarchive/pull/2877"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Elhanan Haenel for reporting this issue.", "bugzilla": {"description": "libarchive: Infinite Loop Denial of Service in RAR5 Decompression via archive_read_data() in libarchive", "id": "2446453", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446453"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-835", "details": ["A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4111", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4111\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4111\nhttps://github.com/libarchive/libarchive/pull/2877"], "statement": "The Red Hat Product Security team would likely assess the severity of this vulnerability as High because it allows remote attackers to cause a persistent denial-of-service condition using a small crafted archive file. Successful exploitation requires no authentication, no special configuration, and no user interaction in environments that automatically process uploaded archives. By repeatedly submitting malicious archives, an attacker can exhaust CPU resources or worker threads in services such as file upload systems, CI/CD pipelines, mail scanners, and content indexing services that rely on libarchive for archive extraction.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "Red Hat OpenShift Container Platform 4", "source": "cna", "vendor": "Red Hat"}, "product": "openshift_container_platform", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-15T15:59:45.124296+00:00", "value": {"mitigation_remediation": ["Install the Red\u00a0Hat Security Advisories RHSA-2026:5063, RHSA-2026:5080, RHSA-2026:6647, RHSA-2026:7093, RHSA-2026:7105, RHSA-2026:7106, RHSA-2026:7329, and RHSA-2026:7335 which contain the libarchive patch.", "Upgrade libarchive to the patched version that eliminates the infinite loop in RAR5 decompression.", "If the application does not require processing of RAR5 archives, disable or restrict handling of such files to prevent potential denial\u2011of\u2011service scenarios."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via CPU exhaustion"}, "threat_synthesis": {"affected_systems": "Red Hat AI Inference Server 3.2, Red Hat Discovery 2, Red Hat Enterprise Linux 10, 8, 7, 6, and RHEL 9 (including base, appstream, extended update support 9.0, 9.2, 9.4, 9.6), Red\u00a0Hat Hardened Images, and OpenShift Container Platform\u00a04 are all impacted by the libarchive vulnerability.", "description_and_impact": "An infinite loop is triggered in libarchive\u2019s RAR5 decompression when a specially crafted archive is processed, causing continuous CPU consumption. The archive passes checksum validation and appears structurally valid, so the application cannot detect the issue before use. The result is a persistent denial\u2011of\u2011service condition affecting any service that automatically processes such archives.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a moderately high severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild as of now. It is not listed in the CISA KEV catalog. The vulnerability requires an attacker to deliver a malicious RAR5 archive to the target process, which could occur through remote upload or local file consumption depending on the application\u2019s configuration. No known public exploit has been observed, but the lack of detection means that legitimate looking archives can silently consume system resources."}}}}, "created": "2026-03-16T09:25:22.752601+00:00", "updated": "2026-04-15T17:00:07.003292+00:00", "vendors": ["redhat", "redhat$PRODUCT$enterprise_linux", "redhat$PRODUCT$openshift_container_platform"]}