CVE-2026-4426
Received Received - Intake
Undefined Behavior in libarchive zisofs Causes Remote DoS

Publication date: 2026-03-19

Last updated on: 2026-05-03

Assigner: Red Hat, Inc.

Description
A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-05-03
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4426
EUVD
EUVD-2026-13099
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
libarchive libarchive *
redhat hardened_images *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1335 An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4426 is a vulnerability in the libarchive library's ISO9660 filesystem support, specifically in the zisofs decompression logic. It arises because a field called `pz_log2_bs`, which is read from ISO9660 Rock Ridge extensions, is not properly validated before being used in bit-shift operations."}, {'type': 'paragraph', 'content': 'The `pz_log2_bs` value should only be 15, 16, or 17 according to the zisofs specification, but the code accepts any value from 0 to 255 without checking. When an invalid value is used, it causes undefined behavior in the program, such as incorrect memory allocation sizes and buffer overflows.'}, {'type': 'paragraph', 'content': 'This undefined behavior can lead to application crashes or other unpredictable results, especially when processing specially crafted ISO files that exploit this flaw.'}] [1, 2]

Impact Analysis

This vulnerability can be exploited by a remote attacker who supplies a specially crafted ISO file containing an invalid `pz_log2_bs` value.

Exploitation leads to undefined behavior during the zisofs decompression process, causing incorrect memory allocation and heap buffer overflows.

As a result, the application using libarchive to process the ISO file may crash, causing a denial-of-service (DoS) condition.

This means that systems relying on libarchive for ISO file handling could be disrupted or made unavailable by such an attack.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial-of-service conditions in applications using libarchive when processing ISO files, especially those containing ISO9660 Rock Ridge extensions.

Testing with UndefinedBehaviorSanitizer (UBSAN) or AddressSanitizer (ASAN) during decompression of ISO files can help detect the undefined behavior caused by invalid `pz_log2_bs` values.

Specifically, crafted ISO files with invalid `pz_log2_bs` values (e.g., 0, 63, 64, 128, 255) can be used to test if the system or application crashes or triggers sanitizer errors.

There are no explicit commands provided in the resources, but you can use tools like `strace` or `gdb` to monitor libarchive-based applications for crashes when extracting suspicious ISO files.

Mitigation Strategies

The immediate mitigation step is to update libarchive to a version that includes the patch enforcing validation of the `pz_log2_bs` field.

The patch disables zisofs decompression for ISO entries with invalid `pz_log2_bs` values by setting the decompression pointer to zero, preventing the vulnerable code path from executing.

Until the update is applied, avoid processing untrusted or specially crafted ISO files that could exploit this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4426. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart