CVE-2026-5745 Overview
A NULL pointer dereference vulnerability has been identified in libarchive, specifically within the Access Control List (ACL) parsing functionality. The flaw exists in the archive_acl_from_text_nl() function, which fails to perform adequate validation when processing malformed ACL strings. When an attacker provides a maliciously crafted archive containing improperly formatted ACL entries (such as a bare "d" or "default" tag without subsequent required fields), applications utilizing the libarchive API—including the commonly used bsdtar utility—can be forced to crash.
Critical Impact
Attackers can cause Denial of Service (DoS) conditions in applications processing untrusted archive files by exploiting the NULL pointer dereference in libarchive's ACL parsing logic.
Affected Products
- libarchive (versions with vulnerable archive_acl_from_text_nl() function)
- Applications utilizing the libarchive API (e.g., bsdtar)
- Linux distributions and systems with vulnerable libarchive packages
Discovery Timeline
- 2026-04-07 - CVE-2026-5745 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-5745
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference), a memory corruption class vulnerability that occurs when a program attempts to dereference a pointer that is expected to be valid but is actually NULL. In the context of libarchive, the vulnerability manifests during ACL text parsing operations.
The archive_acl_from_text_nl() function is responsible for parsing ACL strings from archive metadata. When the function encounters a malformed ACL string—specifically one containing only a "d" or "default" tag without the required subsequent field specifications—it fails to properly validate the input before advancing internal pointers. This results in the function attempting to access memory through a NULL pointer, causing an immediate application crash.
The local attack vector requires user interaction, as a victim must process a maliciously crafted archive file. However, in automated environments where archives are processed without manual inspection, this could lead to service disruption.
Root Cause
The root cause lies in insufficient input validation within the archive_acl_from_text_nl() function. When parsing ACL text entries, the function expects a complete ACL specification following tag identifiers like "default" or "d". The code advances to the next expected field without first verifying that additional data exists, leading to a NULL pointer when the malformed string terminates prematurely.
The absence of defensive programming practices—specifically, failure to check for NULL or validate string boundaries before pointer operations—allows this condition to occur.
Attack Vector
The attack requires local access and user interaction. An attacker must craft a malicious archive file containing specially formatted ACL metadata with incomplete or malformed entries. The attack scenario proceeds as follows:
The attacker creates an archive file with embedded ACL data containing a bare "default" or "d" tag without the required subsequent ACL fields. When a victim extracts or processes this archive using bsdtar or another application built on libarchive, the archive_acl_from_text_nl() function parses the malformed ACL string and crashes due to the NULL pointer dereference, resulting in Denial of Service.
This vulnerability is particularly concerning in environments where archive processing is automated, such as backup systems, package managers, or file synchronization services, where crashes could disrupt critical operations.
Detection Methods for CVE-2026-5745
Indicators of Compromise
- Application crashes in bsdtar or other libarchive-dependent utilities during archive extraction
- Segmentation fault errors in system logs associated with libarchive functions
- Core dump files indicating crashes in archive_acl_from_text_nl() or related ACL parsing routines
Detection Strategies
- Monitor system logs for segmentation faults in processes using libarchive (e.g., bsdtar, cmake, backup utilities)
- Implement file integrity monitoring on libarchive library files to detect unauthorized modifications
- Deploy application crash monitoring to identify patterns of DoS attempts via malformed archives
Monitoring Recommendations
- Enable crash reporting and monitoring for applications that process archive files
- Implement rate limiting on archive processing in automated systems to mitigate repeated DoS attempts
- Review system logs for unusual patterns of application crashes during archive operations
How to Mitigate CVE-2026-5745
Immediate Actions Required
- Review and update libarchive packages when vendor patches become available
- Limit archive processing to trusted sources where possible
- Implement sandboxing for archive extraction operations to contain potential crashes
Patch Information
Consult vendor advisories for patch availability. Refer to the Red Hat CVE-2026-5745 Advisory and the Red Hat Bugzilla Report #2455921 for the latest security updates and patch status for affected distributions.
Workarounds
- Validate and scan archive files before processing using integrity checking tools
- Run archive extraction utilities in isolated environments (containers, sandboxes) to contain crashes
- Implement process monitoring and automatic restart for critical archive processing services to maintain availability
- Restrict archive processing to files from trusted sources only
# Configuration example: Running bsdtar in a sandboxed environment
# Using systemd sandboxing for archive processing service
# Add to service unit file [Service] section:
# ProtectSystem=strict
# PrivateTmp=true
# NoNewPrivileges=true
# RestrictSUIDSGID=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
