CVE-2026-5121
Integer Overflow in libarchive zisofs Causes Remote Code Execution
Publication date: 2026-03-30
Last updated on: 2026-05-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | openshift_container_platform | 4.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
| libarchive | libarchive | * |
| redhat | hardened_images | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5121 is a vulnerability in the libarchive library affecting 32-bit systems. It arises from an integer overflow in the zisofs block pointer allocation logic when parsing ISO9660 images. Specifically, the vulnerability is triggered by a crafted ISO9660 image that sets an out-of-spec block-size exponent value, causing the calculation for memory allocation to overflow and wrap around to zero.
This results in a very small buffer being allocated, but the code then writes a large amount of data (approximately 4GB) into this buffer, causing a heap buffer overflow. This overflow can potentially allow a remote attacker to execute arbitrary code on the affected system.
The issue is mitigated by validating the block-size exponent strictly against allowed values and disabling zisofs decompression if the value is out of range, preventing the overflow.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a remote attacker to execute arbitrary code on your system if you process specially crafted ISO9660 images using libarchive on a 32-bit platform.
Exploitation of this flaw could lead to unauthorized control over the affected system, potentially compromising system integrity, confidentiality, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the handling of specially crafted ISO9660 images with invalid zisofs block pointer values on 32-bit systems. A regression test named test_read_format_iso_zisofs_overflow uses a crafted ISO image with pz_log2_bs=2 and pz_uncompressed_size=0xFFFFFFF9 to reproduce the overflow condition.
To detect exploitation attempts or presence of vulnerable libarchive versions, you can monitor for crashes or heap buffer overflow errors when processing ISO9660 images, especially those with zisofs compressed data.
While no specific commands are provided, you can use tools like AddressSanitizer (ASAN) to run libarchive with crafted ISO files to detect heap buffer overflows.
Additionally, checking the version of libarchive installed on your system and verifying if it includes the fix for CVE-2026-5121 is a practical detection step.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to ensure that your libarchive library is updated to a version that includes the fix for CVE-2026-5121.
The fix involves strict validation of the pz_log2_bs field to ensure it is within the allowed range (15 to 17). If the value is outside this range, zisofs decompression is disabled, preventing the integer overflow and subsequent heap buffer overflow.
If updating is not immediately possible, avoid processing untrusted or specially crafted ISO9660 images with zisofs compressed data on 32-bit systems.