PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5601 Libarchive CVE debrief

CVE-2017-5601 is a high-severity memory-safety issue in libarchive 3.2.2. According to the NVD record, a specially crafted archive can trigger an out-of-bounds read in lha_read_file_header_1(), which can lead to a crash. Because archive handling is often exposed to untrusted inputs, this should be treated as a denial-of-service risk in any product that embeds or depends on the affected libarchive version.

Vendor
Libarchive
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Security and platform teams running libarchive 3.2.2 directly, or shipping products that parse archives through libarchive. This is especially relevant for systems that accept user-uploaded, email-delivered, downloaded, or otherwise untrusted archive files.

Technical summary

The vulnerability is classified by NVD as CWE-125 (out-of-bounds read) and has CVSS v3.0 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The affected CPE in the supplied record is libarchive 3.2.2. The issue resides in lha_read_file_header_1() within archive_read_support_format_lha.c, where malformed archive data can cause an out-of-bounds read and subsequent crash. The NVD references a libarchive commit that corresponds to a patch for the issue.

Defensive priority

High

Recommended defensive actions

  • Inventory all applications, appliances, and libraries that include libarchive and confirm whether version 3.2.2 is present.
  • Upgrade to a libarchive release that includes the referenced fix commit or a vendor-maintained build containing that patch.
  • Treat all archive inputs as untrusted and apply defense-in-depth controls around archive extraction and parsing.
  • Add crash monitoring and alerting for services that process archives, since the primary documented impact is denial of service.
  • If immediate upgrading is not possible, reduce exposure by restricting who can submit archives and by isolating archive-processing workloads.

Evidence notes

Supported by the official NVD CVE record and the CVE.org record. The supplied NVD metadata identifies libarchive 3.2.2 as vulnerable, describes an out-of-bounds read in lha_read_file_header_1(), assigns CWE-125, and lists CVSS v3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The NVD reference list includes the upstream libarchive commit 98dcbbf0bf4854bf987557e55e55fff7abbf3ea9 as a patch reference.

Official resources

Publicly disclosed on 2017-01-27T22:59:08.413Z. The supplied record was last modified on 2026-05-13T00:24:29.033Z.