{
  "threat_severity" : "Low",
  "public_date" : "2025-05-20T00:00:00Z",
  "bugzilla" : {
    "description" : "libarchive: Reading past EOF may be triggered for piped file streams",
    "id" : "2370877",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2370877"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-125",
  "details" : [ "A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.", "A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition." ],
  "statement" : "This vulnerability is rated Low for Red Hat products. The flaw in libarchive can be triggered when processing specially crafted piped file streams with `bsdtar`, potentially leading to unpredictable program behavior or an application level denial-of-service condition. Exploitation requires user interaction to process a malicious archive.",
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat In-Vehicle Operating System 1",
    "fix_state" : "Fix deferred",
    "package_name" : "libarchive",
    "cpe" : "cpe:/o:redhat:rhivos:1"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Fix deferred",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-5918\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-5918\nhttps://github.com/libarchive/libarchive/pull/2584\nhttps://github.com/libarchive/libarchive/releases/tag/v3.8.0" ],
  "name" : "CVE-2025-5918",
  "mitigation" : {
    "value" : "Upgrade to libarchive version 3.8.0 or later, which includes important security fixes and stability improvements.",
    "lang" : "en:us"
  },
  "csaw" : false
}