CVE-2026-4426
Undefined Behavior in libarchive zisofs Causes Remote DoS
Publication date: 2026-03-19
Last updated on: 2026-05-03
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | openshift_container_platform | 4.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| libarchive | libarchive | * |
| redhat | hardened_images | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1335 | An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-4426 is a vulnerability in the libarchive library's ISO9660 filesystem support, specifically in the zisofs decompression logic. It arises because a field called `pz_log2_bs`, which is read from ISO9660 Rock Ridge extensions, is not properly validated before being used in bit-shift operations."}, {'type': 'paragraph', 'content': 'The `pz_log2_bs` value should only be 15, 16, or 17 according to the zisofs specification, but the code accepts any value from 0 to 255 without checking. When an invalid value is used, it causes undefined behavior in the program, such as incorrect memory allocation sizes and buffer overflows.'}, {'type': 'paragraph', 'content': 'This undefined behavior can lead to application crashes or other unpredictable results, especially when processing specially crafted ISO files that exploit this flaw.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can be exploited by a remote attacker who supplies a specially crafted ISO file containing an invalid `pz_log2_bs` value.
Exploitation leads to undefined behavior during the zisofs decompression process, causing incorrect memory allocation and heap buffer overflows.
As a result, the application using libarchive to process the ISO file may crash, causing a denial-of-service (DoS) condition.
This means that systems relying on libarchive for ISO file handling could be disrupted or made unavailable by such an attack.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial-of-service conditions in applications using libarchive when processing ISO files, especially those containing ISO9660 Rock Ridge extensions.
Testing with UndefinedBehaviorSanitizer (UBSAN) or AddressSanitizer (ASAN) during decompression of ISO files can help detect the undefined behavior caused by invalid `pz_log2_bs` values.
Specifically, crafted ISO files with invalid `pz_log2_bs` values (e.g., 0, 63, 64, 128, 255) can be used to test if the system or application crashes or triggers sanitizer errors.
There are no explicit commands provided in the resources, but you can use tools like `strace` or `gdb` to monitor libarchive-based applications for crashes when extracting suspicious ISO files.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update libarchive to a version that includes the patch enforcing validation of the `pz_log2_bs` field.
The patch disables zisofs decompression for ISO entries with invalid `pz_log2_bs` values by setting the decompression pointer to zero, preventing the vulnerable code path from executing.
Until the update is applied, avoid processing untrusted or specially crafted ISO files that could exploit this vulnerability.