Libarchive: integer overflow while reading warc files at archive_read_support_format_warc.c
Summary
| CVE | CVE-2025-5916 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2025-06-09 20:15:27 UTC |
| Updated | 2026-06-30 11:16:25 UTC |
| Description | A vulnerability has been identified in the libarchive library. This flaw involves an integer overflow that can be triggered when processing a Web Archive (WARC) file that claims to have more than INT64_MAX - 4 content bytes. An attacker could craft a malicious WARC archive to induce this overflow, potentially leading to unpredictable program behavior, memory corruption, or a denial-of-service condition within applications that process such archives using libarchive. This bug affects libarchive versions prior to 3.8.0. |
Risk And Classification
Primary CVSS: v3.1 5.6 MEDIUM from [email protected]
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
EPSS: 0.001550000 probability, percentile 0.050130000 (date 2026-07-04)
Problem Types: CWE-190 | CWE-190 Integer Overflow or Wraparound
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 5.6 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H |
| 3.1 | [email protected] | Secondary | 3.9 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L |
| 3.1 | CNA | CVSS | 3.9 | LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L |
CVSS v3.1 Breakdown
Attack Vector
LocalAttack Complexity
LowPrivileges Required
LowUser Interaction
RequiredScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
HighCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Libarchive | Libarchive | All | All | All | All |
| Operating System | Redhat | Enterprise Linux | 10.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 6.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 7.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 9.0 | All | All | All |
| Application | Redhat | Openshift Container Platform | 4.0 | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| CNA | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/libarchive/libarchive/releases/tag/v3.8.0 | [email protected] | github.com | Release Notes |
| access.redhat.com/security/cve/CVE-2025-5916 | [email protected] | access.redhat.com | Vendor Advisory |
| github.com/libarchive/libarchive/pull/2568 | [email protected] | github.com | Patch |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | Issue Tracking |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-06-06T19:10:04.612Z | Reported to Red Hat. |
| CNA | 2025-05-20T00:00:00.000Z | Made public. |
Workarounds
CNA: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
There are currently no legacy QID mappings associated with this CVE.