CVE-2018-1000877

HIGH

libarchive <v3.1.0 - Double Free

Title source: llm

Description

libarchive version commit 416694915449219d505531b1096384f3237dd6cc onwards (release v3.1.0 onwards) contains a CWE-415: Double Free vulnerability in RAR decoder - libarchive/archive_read_support_format_rar.c, parse_codes(), realloc(rar->lzss.window, new_size) with new_size = 0 that can result in Crash/DoS. This attack appear to be exploitable via the victim must open a specially crafted RAR archive.

References (15)

Scores

CVSS v3 8.8
EPSS 0.0177
EPSS Percentile 82.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE
CWE-415
Status published

Affected Products (13)

libarchive/libarchive < 3.4.0
debian/debian_linux
debian/debian_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
canonical/ubuntu_linux
fedoraproject/fedora
fedoraproject/fedora
fedoraproject/fedora
redhat/enterprise_linux_desktop
redhat/enterprise_linux_server
redhat/enterprise_linux_workstation

Timeline

Published Dec 20, 2018
Tracked Since Feb 18, 2026