CVE-2026-5121 | libarchive on 32-bit ISO9660 Image Parser heap-based overflow

VDB-354160 · CVE-2026-5121 · GCVE-0-2026-5121 LIBARCHIVE ON 32-BIT ISO9660 IMAGE PARSER HEAP-BASED OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.0 $0-$5k 3.59+ Summaryinfo A vulnerability, which was classified as critical, was found in libarchive on 32-bit. This issue affects some unknown processing of the component ISO9660 Image Parser. Executing a manipulation can lead to heap-based overflow. This vulnerability is registered as CVE-2026-5121. It is possible to launch the attack remotely. No exploit is available. Applying a patch is advised to resolve this issue. Detailsinfo A vulnerability classified as critical was found in libarchive on 32-bit (affected version not known). This vulnerability affects some unknown functionality of the component ISO9660 Image Parser. The manipulation with an unknown input leads to a heap-based overflow vulnerability. The CWE definition for the vulnerability is CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes: A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system. The advisory is shared for download at access.redhat.com. This vulnerability was named CVE-2026-5121 since 03/30/2026. The exploitation appears to be easy. The attack can be initiated remotely. There are neither technical details nor an exploit publicly available. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. Productinfo Type File Compression Software Name libarchive License open-source Website Product: https://github.com/libarchive/libarchive/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.3 VulDB Meta Temp Score: 6.0 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Heap-based overflow CWE: CWE-122 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Patch: github.com Timelineinfo 03/30/2026 Advisory disclosed 03/30/2026 +0 days CVE reserved 03/30/2026 +0 days VulDB entry created 03/30/2026 +0 days VulDB entry last update Sourcesinfo Product: github.com Advisory: access.redhat.com Status: Confirmed CVE: CVE-2026-5121 (🔒) GCVE (CVE): GCVE-0-2026-5121 GCVE (VulDB): GCVE-100-354160 Entryinfo Created: 03/30/2026 11:56 Changes: 03/30/2026 11:56 (55) Complete: 🔍 Cache ID: 99:2EF:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸