CVE-2026-4426

Summary

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (pz_log2_bs) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Hardened Images3.8.7-1.hum1 < *unaffected

Weaknesses

  • CWE-1335: Incorrect Bitwise Shift of Integer

Workarounds

To mitigate this issue, avoid processing untrusted ISO9660 images with libarchive. Restricting the sources of ISO files and ensuring they originate from trusted entities can prevent exploitation.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References