CVE-2025-5915

Libarchive: heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c

Published: 6/9/2025 Last updated: 11/21/2025 Reserved: 6/9/2025

A vulnerability has been identified in the libarchive library. This flaw can lead to a heap buffer over-read due to the size of a filter block potentially exceeding the Lempel-Ziv-Storer-Schieber (LZSS) window. This means the library may attempt to read beyond the allocated memory buffer, which can result in unpredictable program behavior, crashes (denial of service), or the disclosure of sensitive information from adjacent memory regions.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	3.9	Low	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Opam packages affected (1)

conf-cpio

Products affected (14)

Product	Vendor	Version
		Snapdragon 780G 5G Mobile Platform
Red Hat Enterprise Linux 10	Red Hat	All supported versions of FreeBSD.
Red Hat Enterprise Linux 6	Red Hat	X8.11.2
Red Hat Enterprise Linux 7	Red Hat	X8.6
Red Hat Enterprise Linux 8	Red Hat	X8.11.3
Red Hat Enterprise Linux 9	Red Hat	see the reference URL
Red Hat Enterprise Linux 8	Red Hat	< publication
Red Hat Enterprise Linux 9	Red Hat	< publication
		n/a
Red Hat Enterprise Linux 10	Red Hat	T2.12.h3.00 and earlier versions
Red Hat Enterprise Linux 6	Red Hat	Adobe Acrobat Reader 11.0.19 and earlier, 15.006.30280 and earlier, 15.023.20070 and earlier.
Red Hat Enterprise Linux 7	Red Hat	< 10.0.20348.1668
Red Hat OpenShift Container Platform 4	Red Hat	X8.2.2
Red Hat OpenShift Container Platform 4	Red Hat	T1.01.h4.00 and earlier versions

CVE-2025-5915

Libarchive: heap buffer over read in copy_from_lzss_window() at archive_read_support_format_rar.c

Metrics

Opam packages affected (1)

Products affected (14)

References (8)