CVE-2026-5121
Modified Modified - Updated After Analysis
Integer Overflow in libarchive zisofs Causes Remote Code Execution

Publication date: 2026-03-30

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5121
EUVD
EUVD-2026-17073
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
redhat enterprise_linux 10.0
libarchive libarchive *
redhat hardened_images *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5121 is a vulnerability in the libarchive library affecting 32-bit systems. It arises from an integer overflow in the zisofs block pointer allocation logic when parsing ISO9660 images. Specifically, the vulnerability is triggered by a crafted ISO9660 image that sets an out-of-spec block-size exponent value, causing the calculation for memory allocation to overflow and wrap around to zero.

This results in a very small buffer being allocated, but the code then writes a large amount of data (approximately 4GB) into this buffer, causing a heap buffer overflow. This overflow can potentially allow a remote attacker to execute arbitrary code on the affected system.

The issue is mitigated by validating the block-size exponent strictly against allowed values and disabling zisofs decompression if the value is out of range, preventing the overflow.

Impact Analysis

This vulnerability can impact you by allowing a remote attacker to execute arbitrary code on your system if you process specially crafted ISO9660 images using libarchive on a 32-bit platform.

Exploitation of this flaw could lead to unauthorized control over the affected system, potentially compromising system integrity, confidentiality, and availability.

Detection Guidance

This vulnerability can be detected by testing the handling of specially crafted ISO9660 images with invalid zisofs block pointer values on 32-bit systems. A regression test named test_read_format_iso_zisofs_overflow uses a crafted ISO image with pz_log2_bs=2 and pz_uncompressed_size=0xFFFFFFF9 to reproduce the overflow condition.

To detect exploitation attempts or presence of vulnerable libarchive versions, you can monitor for crashes or heap buffer overflow errors when processing ISO9660 images, especially those with zisofs compressed data.

While no specific commands are provided, you can use tools like AddressSanitizer (ASAN) to run libarchive with crafted ISO files to detect heap buffer overflows.

Additionally, checking the version of libarchive installed on your system and verifying if it includes the fix for CVE-2026-5121 is a practical detection step.

Mitigation Strategies

The immediate mitigation step is to ensure that your libarchive library is updated to a version that includes the fix for CVE-2026-5121.

The fix involves strict validation of the pz_log2_bs field to ensure it is within the allowed range (15 to 17). If the value is outside this range, zisofs decompression is disabled, preventing the integer overflow and subsequent heap buffer overflow.

If updating is not immediately possible, avoid processing untrusted or specially crafted ISO9660 images with zisofs compressed data on 32-bit systems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5121. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart