PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-8689 Libarchive CVE debrief

CVE-2016-8689 affects libarchive 3.2.1 and can let a remote attacker crash a process that parses a specially crafted 7zip archive. NVD describes the flaw as an out-of-bounds read in read_Header() inside archive_read_support_format_7zip.c, with the impact limited to denial of service. Because the trigger is a malformed archive, the risk is highest for applications and services that accept untrusted archives, especially automated or server-side extractors.

Vendor
Libarchive
Product
CVE-2016-8689
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-15
Original CVE updated
2026-05-13
Advisory published
2017-02-15
Advisory updated
2026-05-13

Who should care

Security and platform teams that ship or depend on libarchive, plus maintainers of archiving utilities, package managers, mail gateways, document processors, and any service that opens user-supplied 7z files.

Technical summary

NVD identifies the weakness as CWE-125 and rates it CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerable path is the 7zip header reader in libarchive 3.2.1, where multiple EmptyStream attributes in a header can lead to an out-of-bounds read during parsing. Official references point to vendor and maintainer advisories, issue tracking, and a libarchive patch commit, indicating the problem was addressed through downstream and upstream fixes.

Defensive priority

High. The issue is remotely reachable through archive parsing, requires no privileges or user interaction, and can take down processes that handle untrusted 7z content.

Recommended defensive actions

  • Upgrade libarchive to a version that includes the fix, or apply your distribution vendor's backport if you ship patched packages.
  • Prioritize patching systems that automatically process external archives, such as upload services, antivirus/mail scanning pipelines, CI artifact handlers, and document ingestion services.
  • Review vendor advisories and package trackers for your platform, including the referenced openSUSE, Gentoo, Red Hat, and Debian LTS materials, to confirm the fixed package version.
  • Treat untrusted archive parsing as high risk: run extractors with least privilege, sandbox where possible, and set resource limits so a parser crash cannot take down a larger service.
  • Add test coverage for malformed 7z inputs so future updates preserve the fix and do not reintroduce similar parsing regressions.

Evidence notes

The debrief is based on the NVD record and the supplied reference set. NVD states the issue is an out-of-bounds read in read_Header() in archive_read_support_format_7zip.c and maps it to CWE-125 with CVSS 3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The affected CPE data includes libarchive 3.2.1. Supporting references include the upstream libarchive patch commit, a security mailing list discussion, and downstream advisories from openSUSE and Gentoo. The CVE was published on 2017-02-15; later record modifications reflect metadata updates, not the original issue date.

Official resources

The CVE record was published on 2017-02-15. The supplied references show advisories and patch discussion appearing earlier in 2016, while the NVD record was later modified on 2026-05-13. Use the CVE published date for disclosure timing and,