CVE-2026-4111

Summary

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 100:3.7.7-5.el10_1 < *unaffected
Red HatRed Hat Enterprise Linux 10.0 Extended Update Support0:3.7.7-5.el10_0 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.5.3-7.el9_7 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.5.3-7.el9_7 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Update Services for SAP Solutions0:3.5.3-2.el9_0.3 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Update Services for SAP Solutions0:3.5.3-5.el9_2.1 < *unaffected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Support0:3.5.3-4.el9_4.2 < *unaffected
Red HatRed Hat Enterprise Linux 9.6 Extended Update Support0:3.5.3-6.el9_6.1 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.13413.92.202604080111-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.14414.92.202605060243-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.15415.92.202605060220-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.16416.94.202604211449-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.17417.94.202605112123-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.18418.94.202604140044-0 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.194.19.9.6.202604211219-0 < *unaffected
Red HatRed Hat AI Inference Server 3.21780681984 < *unaffected
Red HatRed Hat AI Inference Server 3.21775740563 < *unaffected
Red HatRed Hat AI Inference Server 3.31778244559 < *unaffected
Red HatRed Hat AI Inference Server 3.31778244531 < *unaffected
Red HatRed Hat AI Inference Server 3.31778244546 < *unaffected
Red HatRed Hat AI Inference Server 3.31775680192 < *unaffected
Red HatRed Hat AI Inference Server 3.31775680262 < *unaffected
Red HatRed Hat AI Inference Server 3.31775749857 < *unaffected
Red HatRed Hat Discovery 21775668717 < *unaffected
Red HatRed Hat Discovery 21775675922 < *unaffected
Red HatRed Hat Hardened Images3.8.7-1.hum1 < *unaffected
Red HatRed Hat Insights proxy 1.51776868961 < *unaffected
Red HatRed Hat Update Infrastructure 51776868774 < *unaffected
Red HatRed Hat Update Infrastructure 51776868744 < *unaffected
Red HatRed Hat Update Infrastructure 51776868772 < *unaffected
Red HatRed Hat Update Infrastructure 51776868842 < *unaffected

Weaknesses

  • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

libarchive: Infinite Loop Denial of Service in RAR5 Decompression via archive_read_data() in libarchive

Additional References

References