High severity7.5NVD Advisory· Published Mar 13, 2026· Updated May 14, 2026

CVE-2026-4111

Description

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Affected products

Libarchive/Libarchivereferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2026:10065nvd
access.redhat.com/errata/RHSA-2026:10081nvd
access.redhat.com/errata/RHSA-2026:10097nvd
access.redhat.com/errata/RHSA-2026:14773nvd
access.redhat.com/errata/RHSA-2026:15087nvd
access.redhat.com/errata/RHSA-2026:16008nvd
access.redhat.com/errata/RHSA-2026:16009nvd
access.redhat.com/errata/RHSA-2026:16174nvd
access.redhat.com/errata/RHSA-2026:5063nvd
access.redhat.com/errata/RHSA-2026:5080nvd
access.redhat.com/errata/RHSA-2026:6647nvd
access.redhat.com/errata/RHSA-2026:7093nvd
access.redhat.com/errata/RHSA-2026:7105nvd
access.redhat.com/errata/RHSA-2026:7106nvd
access.redhat.com/errata/RHSA-2026:7239nvd
access.redhat.com/errata/RHSA-2026:7329nvd
access.redhat.com/errata/RHSA-2026:7335nvd
access.redhat.com/errata/RHSA-2026:8423nvd
access.redhat.com/errata/RHSA-2026:8746nvd
access.redhat.com/errata/RHSA-2026:8747nvd
access.redhat.com/errata/RHSA-2026:8748nvd
access.redhat.com/errata/RHSA-2026:8865nvd
access.redhat.com/errata/RHSA-2026:8944nvd
access.redhat.com/errata/RHSA-2026:9832nvd
access.redhat.com/security/cve/CVE-2026-4111nvd
bugzilla.redhat.com/show_bug.cginvd
github.com/libarchive/libarchive/pull/2877nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000