CVE-2024-48615 Overview
CVE-2024-48615 is a null pointer dereference vulnerability in libarchive version 3.7.6 and earlier. The flaw resides in the header_pax_extension function inside archive_read_support_format_tar.c at line 1844. When the bsdtar program processes a crafted tar archive containing malformed PAX extension headers, the function dereferences a null pointer and crashes the process. The vulnerability is classified under [CWE-476] and affects any application that links against the vulnerable libarchive library to parse untrusted tar input.
Critical Impact
A remote attacker can trigger a denial-of-service condition in bsdtar or any application using libarchive by supplying a malicious tar archive with crafted PAX extension headers.
Affected Products
- libarchive 3.7.6
- libarchive versions earlier than 3.7.6
- Applications and operating system utilities that bundle libarchive (including bsdtar)
Discovery Timeline
- 2025-03-28 - CVE-2024-48615 published to NVD
- 2025-04-14 - Last updated in NVD database
Technical Details for CVE-2024-48615
Vulnerability Analysis
The vulnerability is a null pointer dereference triggered during PAX extension header parsing in libarchive. The function header_pax_extension in archive_read_support_format_tar.c fails to validate a pointer before dereferencing it at line 1844. When bsdtar or another consumer of libarchive reads a crafted tar archive, the parser reaches code that operates on a structure member that was never initialized for the malformed input. The resulting segmentation fault halts the process and prevents the archive operation from completing. The issue is a reachable availability flaw over the network because tar archives are routinely transferred and processed without prior validation.
Root Cause
The root cause is missing input validation in the PAX extension header handling path. libarchive accepts a header structure but does not verify that all required fields are populated before passing them to the extension parser. The parser then performs a pointer dereference on a member that remains NULL when the input deviates from the expected PAX layout. The defect is consistent with [CWE-476] Null Pointer Dereference.
Attack Vector
An attacker delivers a crafted tar archive to a target system. Any workflow that invokes bsdtar or links libarchive to extract or list the archive will crash. Common delivery paths include email attachments, software supply-chain artifacts, container image layers, backup tooling, and automated archive scanners. No authentication or user interaction beyond standard archive processing is required.
The vulnerability manifests during PAX extension header parsing. See the GitHub Crash Test Repository for reproduction artifacts and the libarchive 3.7.6 source release for the vulnerable code path in archive_read_support_format_tar.c.
Detection Methods for CVE-2024-48615
Indicators of Compromise
- Unexpected crashes or segmentation faults in bsdtar, tar, or other archive utilities linked against libarchive.
- Core dumps referencing header_pax_extension or archive_read_support_format_tar.c in the stack trace.
- Tar archives containing malformed or unusual PAX extension headers received from untrusted sources.
Detection Strategies
- Inventory installed libarchive packages and flag any version at or below 3.7.6 across Linux, macOS, and BSD endpoints.
- Monitor process exit codes and crash telemetry for archive-handling utilities invoked by backup, build, or scanning pipelines.
- Inspect archive ingestion services for repeated parser failures on the same input, which can indicate an attacker probing the flaw.
Monitoring Recommendations
- Forward crash and signal events from endpoint and server hosts into a centralized log pipeline for correlation.
- Alert on abnormal termination of bsdtar, tar, package managers, and container runtimes that depend on libarchive.
- Track archive sources that repeatedly cause parser faults and quarantine the originating files for analysis.
How to Mitigate CVE-2024-48615
Immediate Actions Required
- Identify every system and container image that ships libarchive 3.7.6 or earlier.
- Upgrade libarchive to a fixed release as soon as the maintainers publish a patched version.
- Restrict archive processing to trusted inputs in automated pipelines until patching is complete.
- Rebuild and redeploy applications that statically link libarchive after the library is updated.
Patch Information
At the time of NVD publication, no vendor advisory URL is listed. Track upstream releases on the libarchive release page and apply the next version above 3.7.6 once available. Distributions that backport fixes will publish updated libarchive packages through their standard security channels.
Workarounds
- Avoid processing tar archives from untrusted sources with bsdtar or other libarchive-based tools until patched.
- Run archive extraction inside sandboxed or containerized environments so that a crash cannot disrupt the host service.
- Implement upstream validation that rejects archives with malformed PAX extension headers before they reach libarchive.
# Verify the installed libarchive version on Linux
ldconfig -p | grep libarchive
dpkg -l | grep libarchive # Debian/Ubuntu
rpm -qa | grep libarchive # RHEL/Fedora/SUSE
# Example: isolate archive extraction in a restricted sandbox
systemd-run --quiet --pty --uid=nobody --gid=nogroup \
--property=NoNewPrivileges=yes \
--property=ProtectSystem=strict \
--property=PrivateNetwork=yes \
bsdtar -tf /path/to/untrusted.tar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
