Multiple vulnerabilities in libarchive allow for denial of service, memory disclosure, or arbitrary code execution via crafted RAR (CVE-2026-4424, CVSS 7.5 HIGH) and ISO files (CVE-2026-4426, CVSS 6.5 MEDIUM; CVE-2026-5121, CVSS 7.5 HIGH). The affected versions include Red Hat Enterprise Linux 6.0 and 7.0, Red Hat OpenShift Container Platform 4.0 and 4.16, and Red Hat hardened images.
It was discovered that libarchive incorrectly handled certain RAR archives. An attacker could possibly use this issue to cause an out-of-bounds read via a crafted RAR archive, leading to sensitive memory disclosure. (CVE-2026-4424) It was discovered that libarchive incorrectly handled certain ISO files. An attacker could possibly use this issue to cause incorrect memory allocation via a crafted ISO file, leading to a denial of service. (CVE-2026-4426) It was discovered that libarchive incorrectly handled block pointer allocation in zisofs on 32-bit systems. An attacker could possibly use this issue to cause a heap buffer overflow via a crafted ISO9660 image, possibly leading to arbitrary code execution. (CVE-2026-5121)