PatchSiren cyber security CVE debrief
CVE-2026-4111 Access CVE debrief
CVE-2026-4111 describes an availability issue in libarchive’s RAR5 decompression logic. A specially crafted RAR5 archive can cause the archive_read_data() processing path to stop making forward progress and spin in an infinite loop, consuming CPU until the affected service is impacted. Because the archive can pass checksum validation and appear structurally valid, the problem may not be detectable before processing begins. This is primarily a denial-of-service risk for software that automatically ingests untrusted archives.
- Vendor
- Access
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-13
- Original CVE updated
- 2026-05-12
- Advisory published
- 2026-03-13
- Advisory updated
- 2026-05-12
Who should care
Operators and developers who use libarchive directly, or who rely on products and services that bundle it for automated archive extraction. The highest exposure is in services that accept user-supplied archives, unpack files in the background, or process attachments and uploads without strong resource limits.
Technical summary
The source corpus identifies the flaw in the RAR5 decompression logic within libarchive’s archive_read_data() path. The issue is characterized as an infinite loop / no-forward-progress condition, mapped to CWE-835 (loop with unreachable exit condition). NVD lists the CVSS v3.1 vector as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating an unauthenticated network-reachable availability impact. The available corpus does not provide affected version ranges or a fixed version, but it does include multiple Red Hat errata and a libarchive pull request reference, suggesting downstream remediation activity.
Defensive priority
High. This is a remotely triggerable availability issue with no confidentiality or integrity impact in the supplied data, but it can still create persistent CPU exhaustion in services that process archives automatically.
Recommended defensive actions
- Review whether your environment uses libarchive directly or indirectly through another product.
- Apply vendor errata and upstream fixes as they become available; the corpus includes Red Hat advisories and a libarchive pull request reference tied to this CVE.
- Treat untrusted archive inputs as high risk and restrict where archive extraction is allowed.
- Add CPU, time, and memory limits around archive-processing jobs so a stalled decompression path cannot monopolize a host.
- Prefer sandboxing or isolated worker processes for archive handling.
- Monitor archive-processing services for sustained CPU spikes or worker starvation that could indicate a stuck decompression loop.
- Track downstream product advisories if libarchive is embedded in a larger application, because remediation may arrive via vendor packages rather than the upstream library alone.
Evidence notes
The debrief is based on the supplied CVE description, NVD metadata, and referenced official sources. NVD shows the vulnerability status as "Awaiting Analysis" and records CWE-835 with a high-availability CVSS vector. The source corpus also includes Red Hat security advisories referencing this CVE and a libarchive GitHub pull request, but no affected-version matrix was provided in the supplied data. The vendor field in the prompt is low-confidence and should not be treated as authoritative product attribution.
Official resources
CVE published on 2026-03-13 UTC. The supplied corpus indicates later NVD modification on 2026-05-12 UTC, with no KEV listing present in the provided data.