CVE-2025-5917

EUVD-2025-17574
A vulnerability has been identified in the libarchive library. This flaw involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names. This can lead to a 1-byte write overflow. While seemingly small, such an overflow can corrupt adjacent memory, leading to unpredictable program behavior, crashes, or in specific circumstances, could be leveraged as a building block for more sophisticated exploitation. This bug affects libarchive versions prior to 3.8.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
2.8 LOW
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Affected Products (NVD)
VendorProductVersion
libarchivelibarchive
𝑥
< 3.8.0
redhatopenshift_container_platform
4.0
redhatenterprise_linux
6.0
redhatenterprise_linux
7.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libarchive
bookworm
3.6.2-1+deb12u4
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
3.4.3-2+deb11u4
fixed
forky
3.8.8-1
fixed
sid
3.8.8-1
fixed
trixie
3.7.4-4+deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libarchive
bionic
Fixed 3.2.2-3.1ubuntu0.7+esm2
released
focal
Fixed 3.4.0-2ubuntu1.5+esm1
released
jammy
Fixed 3.6.0-1ubuntu1.5
released
noble
Fixed 3.7.2-2ubuntu0.5
released
oracular
Fixed 3.7.4-1ubuntu0.3
released
plucky
Fixed 3.7.7-0ubuntu2.3
released
questing
Fixed 3.7.7-0ubuntu3
released
trusty
Fixed 3.1.2-7ubuntu2.8+esm4
released
xenial
Fixed 3.1.2-11ubuntu0.16.04.8+esm2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
bsdtar
suse enterprise sap 15 SP4
3.5.1-150400.3.21.1
fixed
suse enterprise sap 15 SP5
3.5.1-150400.3.21.1
fixed
suse enterprise server 15 SP4
3.5.1-150400.3.21.1
fixed
suse enterprise server 15 SP5
3.5.1-150400.3.21.1
fixed
libarchive-devel
suse enterprise desktop 15 SP6
3.7.2-150600.3.17.1
fixed
suse enterprise desktop 15 SP7
3.7.2-150600.3.17.1
fixed
suse enterprise sap 15 SP4
3.5.1-150400.3.21.1
fixed
suse enterprise sap 15 SP5
3.5.1-150400.3.21.1
fixed
suse enterprise sap 15 SP6
3.7.2-150600.3.17.1
fixed
suse enterprise sap 15 SP7
3.7.2-150600.3.17.1
fixed
suse enterprise server 15 SP4
3.5.1-150400.3.21.1
fixed
suse enterprise server 15 SP5
3.5.1-150400.3.21.1
fixed
suse enterprise server 15 SP6
3.7.2-150600.3.17.1
fixed
suse enterprise server 15 SP7
3.7.2-150600.3.17.1
fixed
libarchive13
suse enterprise desktop 15 SP6
3.7.2-150600.3.17.1
fixed
suse enterprise desktop 15 SP7
3.7.2-150600.3.17.1
fixed
suse enterprise sap 15 SP4
3.5.1-150400.3.21.1
fixed
suse enterprise sap 15 SP5
3.5.1-150400.3.21.1
fixed
suse enterprise sap 15 SP6
3.7.2-150600.3.17.1
fixed
suse enterprise sap 15 SP7
3.7.2-150600.3.17.1
fixed
suse enterprise server 15 SP4
3.5.1-150400.3.21.1
fixed
suse enterprise server 15 SP5
3.5.1-150400.3.21.1
fixed
suse enterprise server 15 SP6
3.7.2-150600.3.17.1
fixed
suse enterprise server 15 SP7
3.7.2-150600.3.17.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
bsdcat
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdcat-debuginfo
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdcpio
Amazon Linux 2
0:3.1.2-14.amzn2.0.5
fixed
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdcpio-debuginfo
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdtar
Amazon Linux 2
0:3.1.2-14.amzn2.0.5
fixed
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdtar-debuginfo
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdunzip
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
bsdunzip-debuginfo
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
libarchive
Amazon Linux 2
0:3.1.2-14.amzn2.0.5
fixed
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
libarchive-debuginfo
Amazon Linux 2
0:3.1.2-14.amzn2.0.5
fixed
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
libarchive-debugsource
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
libarchive-devel
Amazon Linux 2
0:3.1.2-14.amzn2.0.5
fixed
Amazon Linux 2023
0:3.7.4-2.amzn2023.0.4
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
cmake
Azure Linux 3.0
0:3.30.3-8.azl3
fixed
CBL-Mariner 2.0
0:3.21.4-20.cm2
fixed
libarchive
Azure Linux 3.0
0:3.7.7-3.azl3
fixed
CBL-Mariner 2.0
0:3.6.1-7.cm2
fixed