Medium severity6.5NVD Advisory· Published Mar 19, 2026· Updated May 3, 2026

CVE-2026-4426

Description

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (pz_log2_bs) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

Affected products

Libarchive/Libarchive
cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*
Red Hat/Hardened Images
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
Red Hat/Openshift Container Platform
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux5 versions
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/libarchive/libarchive/pull/2897nvdIssue TrackingPatch
access.redhat.com/security/cve/CVE-2026-4426nvdThird Party Advisory
bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party Advisory
access.redhat.com/errata/RHSA-2026:8944nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000