{
  "threat_severity" : "Moderate",
  "public_date" : "2025-10-10T11:15:15Z",
  "bugzilla" : {
    "description" : "github.com/nwaples/rardecode: RarDecode Out Of Memory Crash",
    "id" : "2403068",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2403068"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-789",
  "details" : [ "github.com/nwaples/rardecode versions <=2.1.1 fail to restrict the dictionary size when reading large RAR dictionary sizes, which allows an attacker to provide a specially crafted RAR file and cause Denial of Service via an Out Of Memory Crash.", "A memory exhaustion flaw has been discovered in the golang Rar Decode library (github.com/nwaples/rardecode). Affected versions did not limit the size of an archive and so an attacker could provide a crafted archive to a tool or service built on Rar decode which might consume more memory than available. This would lead to a program crash." ],
  "package_state" : [ {
    "product_name" : "OpenShift Serverless",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift-serverless-1/kn-plugin-event-sender-rhel8",
    "cpe" : "cpe:/a:redhat:serverless:1"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-central-db-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-collector-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-main-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-operator-bundle",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-rhel8-operator",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-scanner-db-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-scanner-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-scanner-slim-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-scanner-v4-db-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat Advanced Cluster Security 4",
    "fix_state" : "Fix deferred",
    "package_name" : "advanced-cluster-security/rhacs-scanner-v4-rhel8",
    "cpe" : "cpe:/a:redhat:advanced_cluster_security:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/oc-mirror-plugin-rhel8",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "openshift4/oc-mirror-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat Trusted Application Pipeline",
    "fix_state" : "Fix deferred",
    "package_name" : "rhtap-task-runner/rhtap-task-runner-rhel9",
    "cpe" : "cpe:/a:redhat:trusted_application_pipeline:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-11579\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11579\nhttps://github.com/nwaples/rardecode/commit/52fb4e825c936636f251f7e7deded39ab11df9a9" ],
  "name" : "CVE-2025-11579",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}