CVE-2019-18408

HIGH

Libarchive < 3.4.0 - Use After Free

Title source: rule
STIX 2.1

Description

archive_read_format_rar_read_data in archive_read_support_format_rar.c in libarchive before 3.4.0 has a use-after-free in a certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol.

References (15)

Core 15
Core References
Third Party Advisory x_refsource_misc
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14689
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/libarchive/libarchive/compare/v3.3.3...v3.4.0
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/10/msg00034.html
Third Party Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4169-1/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4557
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Nov/2
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0246
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0271
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0203
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202003-28

Scores

CVSS v3 7.5
EPSS 0.0459
EPSS Percentile 89.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-416
Status published
Products (6)
canonical/ubuntu_linux 14.04
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
canonical/ubuntu_linux 19.04
debian/debian_linux 8.0
libarchive/libarchive < 3.4.0
Published Oct 24, 2019
Tracked Since Feb 18, 2026