#VU22332 Use-after-free in libarchive - CVE-2019-18408
Published: October 29, 2019
Vulnerability identifier: #VU22332
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2019-18408
CWE-ID: CWE-416
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
libarchive
libarchive
Software vendor:
libarchive
libarchive
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the archive_read_format_rar_read_data() function in archive_read_support_format_rar.c in libarchive when handling certain ARCHIVE_FAILED situation, related to Ppmd7_DecodeSymbol. A remote attacker can create a specially crafted archive, pass it to the affected application trigger a use-after-free error and crash the application or execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
Remediation
Install updates from vendor's website.