libarchive: Security vulnerability turns out to be critical
A security vulnerability in libarchive turns out to be a critical risk. The CERT-Bund has now discovered the update.
(Image: Sashkin/Shutterstock.com)
There is a security gap in the open-source compression library libarchive, which was initially classified as a low risk. However, some time after the publication of updated sources, the US NIST came to the conclusion that the leak even poses a critical threat. This has now come to the attention of the CERT-Bund of the German Federal Office for Information Security (BSI).
When processing .rar archives, an integer overflow can occur in the archive_read_format_rar_seek_data() function. This can result in a “double free,” in which resources that have already been released are released again. This potentially disrupts the memory, allowing attackers to inject and execute malicious code or cause a denial of service (CVE-2025-5914 / EUVD-2025-17572, CVSS 9.8, risk “critical”).
Subsequently higher risk recognized
The original notification of the vulnerability to the libarchive project by Tobias Stöckmann, together with a proof-of-concept exploit, took place on May 10 of this year. On May 20, the developers released version 3.8.0 of libarchive. The public vulnerability report was also published on Github on June 9. The CVE number CVE-2025-5914 was also assigned there, but initially with the severity level CVSS 3.9, risk “low,” as Red Hat categorized the vulnerability.
Videos by heise
However, with an updated attack vector, the NIST came to the conclusion on June 20 that the risk had a CVSS value of 9.8 and should therefore be classified as “critical”. The change went largely unnoticed until FreeBSD published its security announcement on the weekend.
Not only Linux and Unix distributions rely on libarchive – where admins should start the software administration and check for available updates –, but libarchive is now also at work in Windows. At the announcement of the upgraded Windows ZIP tool, which now supports several archive formats, Panos Panay, then head of the Windows and Devices product department, announced at Microsoft Build 2023 that native support for .tar, 7-zip, .rar, .gz and many others would be provided by using the open-source project libarchive. It is currently unclear whether Microsoft will update the library to a bug-fixed version for the upcoming patch day or whether it has already done so in the past two months.
(dmk)
