CVE-2026-4424 Redhat CVE debrief

Who should care

Security teams, Linux/package maintainers, and administrators running libarchive directly or through Red Hat products listed in NVD affected-configuration data. Systems that automatically preview, scan, or extract untrusted archives should treat this as a priority issue.

Technical summary

NVD and Red Hat's advisory references describe a heap out-of-bounds read in libarchive's RAR archive processing logic. The flaw stems from improper validation of the LZSS sliding window size after transitions between compression methods. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a remotely reachable confidentiality impact only, consistent with heap memory disclosure rather than integrity or availability loss. NVD maps the issue to CWE-125.

Defensive priority

High. Prioritize remediation where libarchive is exposed to untrusted RAR content or embedded in services that process archives automatically, because the issue is remotely triggerable and can leak heap memory without user interaction.

Recommended defensive actions

• Upgrade libarchive to a vendor-fixed version when available from your distribution or upstream package channel.
• Apply the relevant Red Hat advisories listed in NVD for affected products and confirm the corrected package build is deployed.
• Inventory systems and applications that use libarchive, including container images and appliance base layers.
• Restrict or sandbox processing of untrusted archive files until patched systems are in place.
• Treat extracted or parsed archive data from untrusted sources as sensitive until remediation is complete and review any exposed memory-sensitive workflows.

Evidence notes

This debrief is based on the NVD CVE record and its modified-feed entry, which provide the vulnerability description, CVSS vector, affected CPEs, and CWE mapping. The NVD reference set includes Red Hat security advisories plus issue-tracking links to a Red Hat Bugzilla entry and a libarchive GitHub pull request, supporting the downstream-impact and fix-tracking context. Published date used here is the CVE publication timestamp supplied with the record; no later generation or review date is treated as the issue date.

Official resources