Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-4426
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
Libarchive: libarchive: denial of service via malformed iso file processing
A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.
References
Affected products
rhcos
libarchive
Matching in nixpkgs
Package maintainers
-
@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
-
@minijackson Rémi Nicole <minijackson@riseup.net>
-
@sephalon Stefan Wiehler <me@sephalon.net>
-
@edwtjo Edward Tjörnhammar <ed@cflags.cc>
-
@peterhoeg Peter Hoeg <peter@hoeg.com>
-
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
-
@aanderse Aaron Andersen <aaron@fosslib.net>
-
@cpages Carles Pagès <page@ruiec.cat>
-
@jcumming Jack Cummings <jack@mudshark.org>
-
@dan4ik605743 Danil Danevich <6057430gu@gmail.com>
-
@TomaSajt TomaSajt