ISN 2025-34: Libarchive Vulnerability

First published 14 August 2025

CVSS:3.1: 7.8 (High)

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

A security vulnerability has been found in Libarchive, a compression library used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

A memory management issue has been discovered in the Libarchive library, specifically within the “archive_read_format_rar_seek_data()” function. It involves an integer overflow that can ultimately lead to a double free, causing a crash or enabling code execution (CVE-2025-5914).

This vulnerability has recently been ranked up to critical by NVD. However, as it only occurs on systems with large memory (> 100 GB), which is untypical for IGEL OS, IGEL is rating it down to high.

Update Instructions

• OS 12: Update to the IGEL OS base system app in version 12.7.1 PR1 or newer when available from the IGEL App Portal.

• OS 11: Update to IGEL OS version 11.11.100 when available.

References

• CVE-2025-5914 at NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5914

• Libarchive Pull Request - Fix double free with over 4 billion nodes: https://github.com/libarchive/libarchive/pull/2598