<Vulnerability name="CVE-2026-15028">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Low</ThreatSeverity>
    <PublicDate>2026-07-08T10:10:00</PublicDate>
    <Bugzilla id="2497970" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497970" xml:lang="en:us">
libarchive: heap overflow OOB read while parsing a tar archive contains a PAX extended header
    </Bugzilla>
    <CVSS3 status="verified">
        <CVSS3BaseScore>3.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <Details xml:lang="en:us" source="Mitre">
A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.
    </Details>
    <Statement xml:lang="en:us">
Conditions for Exploitation: Successful exploitation requires user interaction or a specific application workflow. An attacker cannot trigger this flaw entirely on their own remotely; they must supply a specially crafted tar archive and rely on a user or an automated system (such as an antivirus scanner or file extraction tool) to actively parse it using the libarchive library.

Impact Limitations: Although the heap overflow has the potential to allow for arbitrary code execution, achieving this reliably is typically complex and highly dependent on the memory layout and protections of the specific application utilizing the library. In most common scenarios, the malformed archive will simply cause the parsing application to crash, resulting in a localized Denial of Service (DoS) rather than a full system compromise.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this issue, avoid processing untrusted or unverified tar archives. Users should exercise caution when handling archives from unknown sources or those with unexpected content, as processing a specially crafted archive could trigger the vulnerability.
    </Mitigation>
    <AffectedRelease impact="moderate" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <ReleaseDate>2026-07-12T00:00:00Z</ReleaseDate>
        <Advisory type="RHSA" url="https://access.redhat.com/errata/RHSA-2026:38279">RHSA-2026:38279</Advisory>
        <Package name="libarchive-main">libarchive-main-3.8.8-2.1.hum1</Package>
    </AffectedRelease>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>libarchive</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>libarchive</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>libarchive</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>libarchive</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>libarchive</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:openshift:4">
        <ProductName>Red Hat OpenShift Container Platform 4</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>rhcos</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-15028
https://nvd.nist.gov/vuln/detail/CVE-2026-15028
https://github.com/libarchive/libarchive/issues/3251
https://github.com/libarchive/libarchive/pull/3253
    </References>
</Vulnerability>