CVE-2026-15028
Received Received - Intake

Heap Overflow in libarchive via Malformed PAX Header

Vulnerability report for CVE-2026-15028, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Red Hat, Inc.

Description

A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libarchive libarchive *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15028 is a vulnerability in the libarchive library's tar PAX reader that causes a heap buffer out-of-bounds (OOB) read. It happens when parsing a specially crafted tar archive containing a PAX extended header with the SUN.holesdata sparse-file attribute. The parser incorrectly handles the length of this attribute's value, leading to reading one byte beyond the allocated buffer.

Specifically, the function pax_attribute_SUN_holesdata reads a byte after the end of the buffer if the final number in the SUN.holesdata value exactly consumes the entire buffer. This results in a heap-buffer-overflow condition.

The vulnerability can be triggered remotely by providing a malicious tar archive, and it was confirmed using AddressSanitizer tools.

Impact Analysis

Successful exploitation of this vulnerability can lead to a denial of service (DoS), making the affected system unavailable.

Additionally, it may allow an attacker to execute arbitrary code on the affected system, potentially gaining control over it.

Detection Guidance

This vulnerability can be detected by analyzing tar archives for specially crafted PAX extended headers containing the SUN.holesdata sparse-file attribute that trigger heap buffer overflows during parsing.

Detection can involve monitoring or testing the libarchive tar parsing functionality with crafted tar files that include malformed SUN.holesdata attributes to observe if heap-buffer-overflow errors occur.

Using debugging tools such as AddressSanitizer while processing suspicious tar archives can help identify the heap-buffer-overflow condition.

No specific commands are provided in the resources, but a practical approach is to run the tar extraction or libarchive-based archive_read_open() calls on test archives with crafted PAX headers and monitor for crashes or sanitizer reports.

Mitigation Strategies

Immediate mitigation involves updating libarchive to a version that includes the fix merged on July 7, 2026, which prevents the out-of-bounds read by properly validating buffer boundaries during parsing.

Until the update is applied, avoid processing untrusted or suspicious tar archives containing PAX extended headers with the SUN.holesdata attribute.

Monitoring for patches or security advisories from libarchive or your operating system vendor and applying them promptly is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15028. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart