CVE-2025-5914 PUBLISHED

Libarchive: double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c

Assigner: redhat
Reserved: 09.06.2025 Published: 09.06.2025 Updated: 05.02.2026

A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.8

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Package Collection	https://github.com/libarchive/libarchive/
Package Name	libarchive
Versions	Default: unaffected affected from 0 to 3.8.0 (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected unaffected from 0:3.7.7-4.el10_0 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7 Extended Lifecycle Support
Versions	Default: affected unaffected from 0:3.1.2-14.el7_9.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected unaffected from 0:3.3.3-6.el8_10 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.2 Advanced Update Support
Versions	Default: affected unaffected from 0:3.3.2-8.el8_2.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Versions	Default: affected unaffected from 0:3.3.3-1.el8_4.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On
Versions	Default: affected unaffected from 0:3.3.3-1.el8_4.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Versions	Default: affected unaffected from 0:3.3.3-6.el8_6 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Versions	Default: affected unaffected from 0:3.3.3-6.el8_6 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Versions	Default: affected unaffected from 0:3.3.3-6.el8_6 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.8 Telecommunications Update Service
Versions	Default: affected unaffected from 0:3.3.3-5.el8_8.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
Versions	Default: affected unaffected from 0:3.3.3-5.el8_8.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected unaffected from 0:3.5.3-6.el9_6 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected unaffected from 0:3.5.3-6.el9_6 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
Versions	Default: affected unaffected from 0:3.5.3-2.el9_0.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
Versions	Default: affected unaffected from 0:3.5.3-5.el9_2 to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9.4 Extended Update Support
Versions	Default: affected unaffected from 0:3.5.3-4.el9_4.1 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.14
Versions	Default: affected unaffected from 414.92.202510211419-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.15
Versions	Default: affected unaffected from 415.92.202601271320-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.16
Versions	Default: affected unaffected from 416.94.202601071926-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.17
Versions	Default: affected unaffected from 417.94.202510112152-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.18
Versions	Default: affected unaffected from 418.94.202510230424-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.19
Versions	Default: affected unaffected from 4.19.9.6.202510140714-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift Container Platform 4.20
Versions	Default: affected unaffected from 4.20.9.6.202509251656-0 to * (excl.)

Vendor	Red Hat
Product	Red Hat Web Terminal 1.11 on RHEL 9
Versions	Default: affected unaffected from 1.11-19 to * (excl.)

Vendor	Red Hat
Product	Red Hat Web Terminal 1.11 on RHEL 9
Versions	Default: affected unaffected from 1.11-8 to * (excl.)

Vendor	Red Hat
Product	Red Hat Web Terminal 1.12 on RHEL 9
Versions	Default: affected unaffected from 1.12-4 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-11 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-11 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-11 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-10 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-10 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-4 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-9 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-12 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-18 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-11 to * (excl.)

Vendor	Red Hat
Product	RHOSS-1.36-RHEL-8
Versions	Default: affected unaffected from 1.36.0-7 to * (excl.)

Vendor	Red Hat
Product	cert-manager operator for Red Hat OpenShift 1.16
Versions	Default: affected unaffected from sha256:1abdfac084e7c86e7a93a19e5cf6b54db79b903bfb7474a42200f753b29eda4b to * (excl.)

Vendor	Red Hat
Product	Compliance Operator 1
Versions	Default: affected unaffected from sha256:b282ae2e5cfe451081785f221137d45d05320cf0017c3f1cba18a509d43eb6d9 to * (excl.)

Vendor	Red Hat
Product	Compliance Operator 1
Versions	Default: affected unaffected from sha256:8294e4b1b531457282270c375f4045ea2baf20a0a8a637006364096a9dec3c41 to * (excl.)

Vendor	Red Hat
Product	Compliance Operator 1
Versions	Default: affected unaffected from sha256:525c4d55fde92557bd0c3123961cb32eee28edca3aaa884e224d5efa4f3c4f83 to * (excl.)

Vendor	Red Hat
Product	File Integrity Operator 1
Versions	Default: affected unaffected from sha256:364d11af112a5b1d3f28c9ea8b7aac678e111b9c7fca0516d61036904f318605 to * (excl.)

Vendor	Red Hat
Product	Red Hat Discovery 2
Versions	Default: affected unaffected from sha256:c85cfbcaf7888885e57596b7b8bde3894718cfc33326499b24961a66a62cf083 to * (excl.)

Vendor	Red Hat
Product	Red Hat Insights proxy 1.5
Versions	Default: affected unaffected from sha256:b7f671263af799e681ccca9b07420c1b5cee369282b5e1520557ee2414618652 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:73ddf7caa420d1cb2027068dabcc7bbf07fdd160135ab12ad0656cec5dbef185 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:540ed092ec7c7e8e07927636ccdb04a662a7108c295f793028494c9184bdf85b to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:86d400b195958c287846ae60d76d2ec277740da3d3de033c7e72ab9a42370b4b to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:e17c9de114b6b89e9c66642ab5f95b62321d367b6d22be1464cf89dbc3ead673 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:da510d9c86c877d8f4cdcddfa337b16858dd4e490cc3e85124b2076408499826 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:69c5921a94e0ac1f254ac8bc1fbd400fc4322b0537320dcd205d9ad854b277f3 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:f250e39033d7cb1d786e5a7ec6798c25d4c5d8c6ecbcf6828915605fc4658da5 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:9407bf93b2128d5da4a14b2ba8dd48a27b688fbb962b9383e7cb260ab43b6f24 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift distributed tracing 3.5.1
Versions	Default: affected unaffected from sha256:c1e80172a78d227fb1076cbf608e42b2c551cc09233abd9a6ada74af06758447 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:7b6bd3411ca5ec140968975d4f11f3ec0686b6fbca0ce05288e041ee2e569a89 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:99cc26f9e0e5b0f29cb7f34fe3aa5c974e935fdf21e0f3ad02f1af571113a32c to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:9ff002e628e5646b5ab3cc9201087847bea29569b4a1bc135b89d5c1a5f0a422 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:6b2da66d287083cf823f6efd8d61ba6a1be10eb6ba8cda484dea4e2ab67ae108 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:cead623ceda4048cabaa81c371ed2a8143f5c5514276fca1d71685bd9e6d1e65 to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:59fb1f7f1653361d94f7d48b42d8fe19ed3263c1c78654837c11f2135544c1ac to * (excl.)

Vendor	Red Hat
Product	Red Hat OpenShift sandboxed containers 1.1
Versions	Default: affected unaffected from sha256:869dabef4a7bf424fb000f5d5f772f02b1c4653fe08fff96ec67e0adf2b2c27d to * (excl.)

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

References

RHSA-2025:14130
RHSA-2025:14135
RHSA-2025:14137
RHSA-2025:14141
RHSA-2025:14142
RHSA-2025:14525
RHSA-2025:14528
RHSA-2025:14594
RHSA-2025:14644
RHSA-2025:14808
RHSA-2025:14810
RHSA-2025:14828
RHSA-2025:15024
RHSA-2025:15397
RHSA-2025:15709
RHSA-2025:15827
RHSA-2025:15828
RHSA-2025:16524
RHSA-2025:18217
RHSA-2025:18218
RHSA-2025:18219
RHSA-2025:19041
RHSA-2025:19046
RHSA-2025:21885
RHSA-2025:21913
RHSA-2026:0326
RHSA-2026:0934
RHSA-2026:1541
https://access.redhat.com/security/cve/CVE-2025-5914
RHBZ#2370861
https://github.com/libarchive/libarchive/pull/2598
https://github.com/libarchive/libarchive/releases/tag/v3.8.0

Problem Types

Integer Overflow or Wraparound CWE