Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1006

NIXPKGS-2026-1006
published on
Permalink CVE-2026-5745
5.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): NONE
  • Availability impact (A): HIGH
updated 1 day, 21 hours ago by @LeSuisse Activity log
  • Created automatic suggestion 2 days, 6 hours ago
  • @LeSuisse removed package libarchive-qt 1 day, 22 hours ago
  • @LeSuisse removed package haskellPackages.libarchive 1 day, 22 hours ago
  • @LeSuisse removed package kodiPackages.vfs-libarchive 1 day, 22 hours ago
  • @LeSuisse removed package perlPackages.ArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package python312Packages.libarchive-c 1 day, 22 hours ago
  • @LeSuisse removed package python313Packages.libarchive-c 1 day, 22 hours ago
  • @LeSuisse removed package python314Packages.libarchive-c 1 day, 22 hours ago
  • @LeSuisse removed package haskellPackages.libarchive-clib 1 day, 22 hours ago
  • @LeSuisse removed package perl5Packages.ArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package perl538Packages.ArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package perl540Packages.ArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package haskellPackages.archive-libarchive 1 day, 22 hours ago
  • @LeSuisse removed package haskellPackages.libarchive-conduit 1 day, 22 hours ago
  • @LeSuisse removed package perlPackages.ArchiveLibarchivePeek 1 day, 22 hours ago
  • @LeSuisse removed package perlPackages.TestArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package perl5Packages.ArchiveLibarchivePeek 1 day, 22 hours ago
  • @LeSuisse removed package perl5Packages.TestArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package perl538Packages.ArchiveLibarchivePeek 1 day, 22 hours ago
  • @LeSuisse removed package perl538Packages.TestArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package perl540Packages.ArchiveLibarchivePeek 1 day, 22 hours ago
  • @LeSuisse removed package perl540Packages.TestArchiveLibarchive 1 day, 22 hours ago
  • @LeSuisse removed package perlPackages.ArchiveLibarchiveExtract 1 day, 22 hours ago
  • @LeSuisse removed package perl5Packages.ArchiveLibarchiveExtract 1 day, 22 hours ago
  • @LeSuisse removed package perl538Packages.ArchiveLibarchiveExtract 1 day, 22 hours ago
  • @LeSuisse removed package perl540Packages.ArchiveLibarchiveExtract 1 day, 22 hours ago
  • @LeSuisse removed package python312Packages.extractcode-libarchive 1 day, 22 hours ago
  • @LeSuisse removed package python313Packages.extractcode-libarchive 1 day, 22 hours ago
  • @LeSuisse removed package python314Packages.extractcode-libarchive 1 day, 22 hours ago
  • @LeSuisse accepted 1 day, 22 hours ago
  • @LeSuisse published on GitHub 1 day, 21 hours ago
Libarchive: a null pointer dereference vulnerability exists in the acl parser of libarchive

A flaw was found in libarchive. A NULL pointer dereference vulnerability exists in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare "d" or "default" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. An attacker can exploit this by providing a maliciously crafted archive, causing an application utilizing the libarchive API (such as bsdtar) to crash, resulting in a Denial of Service (DoS).

References

Affected products

rhcos
libarchive

Matching in nixpkgs

pkgs.libarchive

Multi-format archive and compression library

Ignored packages (28)

Package maintainers

Upstream issue: https://github.com/libarchive/libarchive/issues/2904