CVE-2026-14164
Received Received - Intake

Double Free in libarchive RAR5 Reader

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Red Hat, Inc.

Description
A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-14164
EUVD
EUVD-2026-40259

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libarchive libarchive *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14164 is a double-free vulnerability in the libarchive library's RAR5 decompression logic. It occurs because the filtered_buf pointer, which points to a memory buffer used during decompression, may remain set after the memory it points to has been freed during unpacking state reinitialization.

When processing a specially crafted RAR5 archive, this stale pointer can cause the same memory region to be freed twice. This double-free condition can cause the application using libarchive to crash unexpectedly.

The root cause is that during the init_unpack() function, the filtered_buf memory is freed but the pointer is not cleared, leading to a dangling pointer. If a subsequent memory allocation fails, the cleanup process attempts to free the same memory again.

Impact Analysis

Exploitation of this vulnerability can cause applications using the vulnerable libarchive API to terminate unexpectedly, resulting in a denial of service (DoS).

The double-free condition can lead to memory corruption and crashes, which disrupt normal application operation.

In some cases, such memory corruption vulnerabilities may be leveraged for arbitrary code execution, although the primary impact described here is denial of service.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal termination of applications using the libarchive library when processing RAR5 archives, especially those that decompress RAR5 files with filters.

Using debugging tools such as AddressSanitizer can help identify double-free errors during testing or runtime.

A practical approach is to test the system with specially crafted RAR5 archives that trigger the double-free condition and observe if the application crashes or aborts.

No specific network commands are provided in the resources, but monitoring application logs for crashes related to libarchive or using memory debugging tools during decompression operations is recommended.

Mitigation Strategies

Immediate mitigation involves updating the libarchive library to a version that includes the fix for CVE-2026-14164.

The fix prevents the dangling pointer from causing a double-free during the RAR5 decompression process, as merged in pull request #3071.

Until an update is applied, avoid processing untrusted or specially crafted RAR5 archives that could exploit this vulnerability.

Additionally, monitoring applications for crashes and applying any vendor patches or advisories related to libarchive is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14164. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart