CVE-2025-60753

EUVD-2025-37900
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
Affected Products (NVD)
VendorProductVersion
libarchivelibarchive
𝑥
≤ 3.8.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libarchive
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
forky
3.8.7-1
fixed
sid
3.8.8-1
fixed
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libarchive
bionic
Fixed 3.2.2-3.1ubuntu0.7+esm2
released
focal
Fixed 3.4.0-2ubuntu1.5+esm1
released
jammy
Fixed 3.6.0-1ubuntu1.6
released
noble
Fixed 3.7.2-2ubuntu0.6
released
plucky
ignored
questing
Fixed 3.7.7-0ubuntu3.1
released
trusty
Fixed 3.1.2-7ubuntu2.8+esm4
released
xenial
Fixed 3.1.2-11ubuntu0.16.04.8+esm2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
bsdtar
suse enterprise sap 15 SP4
3.5.1-150400.3.24.1
fixed
suse enterprise sap 15 SP5
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP4
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP5
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP6
3.7.2-150600.3.20.1
fixed
libarchive-devel
suse enterprise desktop 15 SP7
3.7.2-150600.3.20.1
fixed
suse enterprise sap 15 SP4
3.5.1-150400.3.24.1
fixed
suse enterprise sap 15 SP5
3.5.1-150400.3.24.1
fixed
suse enterprise sap 15 SP7
3.7.2-150600.3.20.1
fixed
suse enterprise server 12 SP5
3.3.3-32.17.1
fixed
suse enterprise server 15 SP4
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP5
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP6
3.7.2-150600.3.20.1
fixed
suse enterprise server 15 SP7
3.7.2-150600.3.20.1
fixed
libarchive13
suse enterprise desktop 15 SP7
3.7.2-150600.3.20.1
fixed
suse enterprise sap 15 SP4
3.5.1-150400.3.24.1
fixed
suse enterprise sap 15 SP5
3.5.1-150400.3.24.1
fixed
suse enterprise sap 15 SP7
3.7.2-150600.3.20.1
fixed
suse enterprise server 12 SP5
3.3.3-32.17.1
fixed
suse enterprise server 15 SP4
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP5
3.5.1-150400.3.24.1
fixed
suse enterprise server 15 SP6
3.7.2-150600.3.20.1
fixed
suse enterprise server 15 SP7
3.7.2-150600.3.20.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
libarchive
Azure Linux 3.0
0:3.7.7-4.azl3
fixed
CBL-Mariner 2.0
0:3.6.1-8.cm2
fixed