Double Free Vulnerability in Libarchive's RAR5 Reader Affects Users
CVE-2026-14164

7.5HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 10
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 8
Vendor
CVE Published:
30 June 2026

What is CVE-2026-14164?

A double free vulnerability has been discovered in the RAR5 reader within Libarchive, resulting from improper handling of memory during the processing of specially crafted RAR5 archives. When reinitializing the unpacking state, the filtered_buf pointer may become stale after being freed, leading to the potential for a subsequent memory free. This may allow an attacker to exploit the flaw, causing applications leveraging the Libarchive API to terminate unexpectedly and suffer from a denial of service.

References

https://access.redhat.com/security/cve/CVE-2026-14164
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2493411
issue-trackingx_refsource_REDHAT
https://github.com/libarchive/libarchive/issues/3069

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.