CVE-2026-15028

Public on 2026-07-10
Modified on 2026-07-10
Description
A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.
Severity
Medium severity
Medium
See what this means
CVSS v3 Base Score
4.4
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core cmake3 Not Affected
Amazon Linux 2 - Core cpio Not Affected
Amazon Linux 2023 cpio Not Affected
Amazon Linux 2 - Core libarchive Not Affected
Amazon Linux 2023 libarchive Not Affected
Amazon Linux 2 - Core tar Not Affected
Amazon Linux 2023 tar Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L