Description
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive 3.3.4-dev allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo. NOTE: this only affects users who downloaded the development code from GitHub. Users of the product's official releases are unaffected.
References (3)
Core 3
Core References
Third Party Advisory
https://access.redhat.com/security/cve/cve-2019-11463
Exploit, Third Party Advisory x_refsource_misc
https://github.com/libarchive/libarchive/issues/1165
Patch, Third Party Advisory x_refsource_misc
https://github.com/libarchive/libarchive/commit/ba641f73f3d758d9032b3f0e5597a9c6e593a505
Scores
CVSS v3
5.5
EPSS
0.0020
EPSS Percentile
41.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-401
Status
published
Products (1)
libarchive/libarchive
< 3.4.0
Published
Apr 23, 2019
Tracked Since
Feb 18, 2026