CVE-2026-15028 in Enterprise Linux 6info

Summary

by MITRE • 07/10/2026

A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in libarchive represents a critical heap overflow flaw that demonstrates the ongoing challenges in archive processing libraries within cybersecurity infrastructure. This issue specifically manifests when the library encounters a malformed tar archive containing a PAX extended header with a corrupted SUN.holesdata sparse-file attribute, creating a dangerous condition that can be exploited remotely by attackers. The vulnerability resides in the parsing logic of libarchive's archive extraction routines, where insufficient input validation allows malicious data to bypass normal boundary checks and overwrite adjacent heap memory regions.

The technical implementation of this vulnerability stems from improper handling of sparse file metadata within the PAX format extension, which is commonly used in modern tar archives to support large files with holes. When libarchive processes the SUN.holesdata attribute, it fails to properly validate the length or structure of the attribute data before attempting to copy it into heap-allocated buffers. This oversight creates a classic heap-based buffer overflow condition where attacker-controlled data can overwrite adjacent memory locations, potentially corrupting heap metadata or overwriting function pointers and return addresses.

From an operational perspective, this vulnerability presents significant risks to systems that process untrusted archive files, including web servers, file transfer applications, and automated build systems. The remote exploitation capability means that attackers can craft malicious tar archives that will trigger the overflow when processed by any application linked against vulnerable versions of libarchive. The potential impact ranges from denial of service attacks that crash services and make systems unavailable to more severe arbitrary code execution scenarios where attackers gain complete system control through heap corruption techniques.

The vulnerability aligns with several cybersecurity frameworks and threat models, particularly mapping to CWE-121 for heap-based buffer overflow conditions and supporting ATT&CK technique T1059.007 for execution through archive extraction processes. Organizations using libarchive for processing file transfers, backup operations, or automated deployment pipelines face immediate risk exposure, as the vulnerability can be triggered without user interaction simply by processing a malicious archive file. The attack surface expands significantly in environments where automated systems routinely extract archives from untrusted sources such as email attachments, web downloads, or third-party software distributions.

Mitigation strategies should prioritize immediate patching of libarchive to versions that properly validate sparse file metadata before heap allocation occurs. System administrators should implement strict input validation controls for archive processing, including sandboxed execution environments and network segmentation to limit the impact of successful exploitation attempts. Additionally, monitoring solutions should be deployed to detect unusual archive processing patterns or memory corruption indicators that could signal exploitation attempts. Organizations should also consider implementing automated security scanning tools that can identify potentially malicious archives before they are processed by vulnerable applications, creating multiple layers of defense against this specific heap overflow vulnerability.

Responsible

Redhat

Reservation

07/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!