CVE-2024-26256 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
microsoft	CNA	7.8 HIGH				CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 97%

Affected Products (NVD)

Vendor	Product	Version
libarchive	libarchive	𝑥 < 3.7.4
microsoft	windows_11_22h2	𝑥 < 10.0.22621.3447
microsoft	windows_11_23h2	𝑥 < 10.0.22631.3447
microsoft	windows_server_2022_23h2	𝑥 < 10.0.25398.830

𝑥

= Vulnerable software versions

Windows Releases

Platform

Version

Windows 11

22H2 (arm64, x64)	KB5036893
23H2 (arm64, x64)	KB5036893

Windows Server 2022

23H2 Server Core

Debian Releases

Debian Product

Codename

libarchive

bookworm	3.6.2-1+deb12u3 fixed
bookworm (security)	3.6.2-1+deb12u2 fixed
bullseye	3.4.3-2+deb11u1 not-affected
bullseye (security)	3.4.3-2+deb11u3 fixed
buster	not-affected
forky	3.7.4-4 fixed
sid	3.7.4-4 fixed
trixie	3.7.4-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

libarchive

bionic	not-affected
focal	not-affected
jammy	Fixed 3.6.0-1ubuntu1.1 released
mantic	Fixed 3.6.2-1ubuntu1.1 released
noble	Fixed 3.7.2-2ubuntu0.1 released
trusty	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26256

http://www.openwall.com/lists/oss-security/2024/06/04/2

http://www.openwall.com/lists/oss-security/2024/06/05/1

https://github.com/LeSuisse/nixpkgs/commit/81b82a2934521dffef76f7ca305d8d4e22fe7262

https://github.com/libarchive/libarchive/commit/eb7939b24a681a04648a59cdebd386b1e9dc9237.patch

https://github.com/libarchive/libarchive/releases/tag/v3.7.4

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWANFZ6NEMXFCALXWI2AFKYBOLONAVFC/

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TWAMR5TY47UKVYMWQXB34CWSBNTRYMBV/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26256

https://www.openwall.com/lists/oss-security/2024/06/04/2