{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-14T19:08:12.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/libarchive/libarchive/issues/1672"}, {"name": "FEDORA-2022-bbb5ec21b2", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBYGJICQ7FKDZ2IIOAH423IHWQ6MNONQ/"}, {"name": "GLSA-202208-26", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-26"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2022-26280", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/libarchive/libarchive/issues/1672", "refsource": "MISC", "url": "https://github.com/libarchive/libarchive/issues/1672"}, {"name": "FEDORA-2022-bbb5ec21b2", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SBYGJICQ7FKDZ2IIOAH423IHWQ6MNONQ/"}, {"name": "GLSA-202208-26", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-26"}]}}}, "adp": [{"title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/libarchive/libarchive/issues/1672"}, {"name": "FEDORA-2022-bbb5ec21b2", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBYGJICQ7FKDZ2IIOAH423IHWQ6MNONQ/"}, {"name": "GLSA-202208-26", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-26"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00007.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:46:12.619Z"}}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-26280", "datePublished": "2022-03-28T21:28:45.000Z", "dateReserved": "2022-02-28T00:00:00.000Z", "dateUpdated": "2025-11-03T21:46:12.619Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libarchive:libarchive:3.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "C9594979-AC53-44D6-8C1B-22A60A058D3F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init."}, {"lang": "es", "value": "Se ha detectado que Libarchive versi\u00f3n v3.6.0, contiene una lectura fuera de l\u00edmites por medio del componente zipx_lzma_alone_init"}], "id": "CVE-2022-26280", "lastModified": "2025-11-03T22:15:57.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-28T22:15:09.637", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/libarchive/libarchive/issues/1672"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBYGJICQ7FKDZ2IIOAH423IHWQ6MNONQ/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-26"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/libarchive/libarchive/issues/1672"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/11/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SBYGJICQ7FKDZ2IIOAH423IHWQ6MNONQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-26"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5252", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libarchive-0:3.5.3-2.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-07-01T00:00:00Z"}, {"advisory": "RHSA-2022:5252", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "libarchive-0:3.5.3-2.el9_0", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2022-07-01T00:00:00Z"}], "bugzilla": {"description": "libarchive: an out-of-bounds read via the component zipx_lzma_alone_init", "id": "2071931", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2071931"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "verified"}, "cwe": "CWE-125", "details": ["Libarchive v3.6.0 was discovered to contain an out-of-bounds read via the component zipx_lzma_alone_init.", "An out-of-bounds read flaw was found in libarchive. This flaw allows an attacker who can supply a specially crafted zip file to libarchive to cause an out-of-bounds read in programs linked with libarchive, using the LZMA zip functionality. The consequences depend on the specific program linked with libarchive. Still, they would most likely result in an application crash or information disclosure that could be used in conjunction with another exploit."], "name": "CVE-2022-26280", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "libarchive", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2022-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-26280\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-26280"], "statement": "Versions of libarchive shipped with Red Hat Enterprise Linux 8 and prior are not affected by this vulnerability as the affected code (zipx_lzma_alone_init routine) is not shipped.", "threat_severity": "Moderate"}