Home / mailings [USN-8292-1] libarchive vulnerabilities
Posted on 21 May 2026
Ubuntu Security==========================================================================Ubuntu Security Notice USN-8292-1
May 21, 2026
libarchive vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 26.04 LTS
- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in libarchive.
Software Description:
- libarchive: Library to read/write archive files
Details:
It was discovered that libarchive incorrectly handled certain RAR
archives. An attacker could possibly use this issue to cause an
out-of-bounds read via a crafted RAR archive, leading to sensitive
memory disclosure. (CVE-2026-4424)
It was discovered that libarchive incorrectly handled certain ISO files.
An attacker could possibly use this issue to cause incorrect memory
allocation via a crafted ISO file, leading to a denial of service.
(CVE-2026-4426)
It was discovered that libarchive incorrectly handled block pointer
allocation in zisofs on 32-bit systems. An attacker could possibly use
this issue to cause a heap buffer overflow via a crafted ISO9660 image,
possibly leading to arbitrary code execution. (CVE-2026-5121)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 26.04 LTS
libarchive-dev 3.8.5-1ubuntu2.1
libarchive-tools 3.8.5-1ubuntu2.1
libarchive13t64 3.8.5-1ubuntu2.1
Ubuntu 25.10
libarchive-dev 3.7.7-0ubuntu3.2
libarchive-tools 3.7.7-0ubuntu3.2
libarchive13t64 3.7.7-0ubuntu3.2
Ubuntu 24.04 LTS
libarchive-dev 3.7.2-2ubuntu0.7
libarchive-tools 3.7.2-2ubuntu0.7
libarchive13t64 3.7.2-2ubuntu0.7
Ubuntu 22.04 LTS
libarchive-dev 3.6.0-1ubuntu1.7
libarchive-tools 3.6.0-1ubuntu1.7
libarchive13 3.6.0-1ubuntu1.7
Ubuntu 20.04 LTS
libarchive-dev 3.4.0-2ubuntu1.5+esm2
Available with Ubuntu Pro
libarchive-tools 3.4.0-2ubuntu1.5+esm2
Available with Ubuntu Pro
libarchive13 3.4.0-2ubuntu1.5+esm2
Available with Ubuntu Pro
Ubuntu 18.04 LTS
bsdcpio 3.2.2-3.1ubuntu0.7+esm3
Available with Ubuntu Pro
bsdtar 3.2.2-3.1ubuntu0.7+esm3
Available with Ubuntu Pro
libarchive-dev 3.2.2-3.1ubuntu0.7+esm3
Available with Ubuntu Pro
libarchive-tools 3.2.2-3.1ubuntu0.7+esm3
Available with Ubuntu Pro
libarchive13 3.2.2-3.1ubuntu0.7+esm3
Available with Ubuntu Pro
Ubuntu 16.04 LTS
bsdcpio 3.1.2-11ubuntu0.16.04.8+esm3
Available with Ubuntu Pro
bsdtar 3.1.2-11ubuntu0.16.04.8+esm3
Available with Ubuntu Pro
libarchive-dev 3.1.2-11ubuntu0.16.04.8+esm3
Available with Ubuntu Pro
libarchive13 3.1.2-11ubuntu0.16.04.8+esm3
Available with Ubuntu Pro
Ubuntu 14.04 LTS
bsdcpio 3.1.2-7ubuntu2.8+esm5
Available with Ubuntu Pro
bsdtar 3.1.2-7ubuntu2.8+esm5
Available with Ubuntu Pro
libarchive-dev 3.1.2-7ubuntu2.8+esm5
Available with Ubuntu Pro
libarchive13 3.1.2-7ubuntu2.8+esm5
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-8292-1
CVE-2026-4424, CVE-2026-4426, CVE-2026-5121
Package Information:
https://launchpad.net/ubuntu/+source/libarchive/3.8.5-1ubuntu2.1
https://launchpad.net/ubuntu/+source/libarchive/3.7.7-0ubuntu3.2
https://launchpad.net/ubuntu/+source/libarchive/3.7.2-2ubuntu0.7
https://launchpad.net/ubuntu/+source/libarchive/3.6.0-1ubuntu1.7
--===============4432054690269425038==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
