CVE-2026-4426
CVE-2026-4426 is a medium-severity vulnerability in Redhat Hardened Images with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-1335.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- EPSS exploit prediction: 0% (22nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-13099
- Weakness: CWE-1335
- Affected product: Redhat Hardened Images
- Published:
- Last modified:
Description
A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.
Frequently asked questions
- What is CVE-2026-4426?
- A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.
- How severe is CVE-2026-4426?
- CVE-2026-4426 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-4426 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (22nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-4426?
- CVE-2026-4426 primarily affects Redhat Hardened Images. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2026-4426?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-4426 have an EU (EUVD) identifier?
- Yes. CVE-2026-4426 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-13099.
- When was CVE-2026-4426 published?
- CVE-2026-4426 was published on 2026-03-19 and last updated on 2026-06-17.
References
- https://access.redhat.com/errata/RHSA-2026:8944
- https://access.redhat.com/security/cve/CVE-2026-4426
- https://bugzilla.redhat.com/show_bug.cgi?id=2449010
- https://github.com/libarchive/libarchive/pull/2897
Affected products (8)
- cpe:2.3:a:libarchive:libarchive:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Redhat Hardened Images
- CVE-2026-0966 — High (CVSS 8.2): A flaw was found in libssh. The API function `ssh_get_hexa()` is vulnerable to a denial of service when processing…
- CVE-2026-48864 — High (CVSS 7.8): A flaw was found in libsolv. This heap buffer overflow occurs during the decompression of attacker-controlled…
- CVE-2026-6846 — High (CVSS 7.8): A flaw was found in binutils. A heap-buffer-overflow vulnerability exists when processing a specially crafted XCOFF…
- CVE-2025-14821 — High (CVSS 7.8): A flaw was found in libssh. This vulnerability allows local man-in-the-middle attacks, security downgrades of SSH…
- CVE-2026-4775 — High (CVSS 7.8): A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the…
- CVE-2026-42009 — High (CVSS 7.5): A flaw was found in gnutls. A remote attacker could exploit an issue in the Datagram Transport Layer Security (DTLS)…
All CVEs affecting Redhat Hardened Images →
Other CWE-1335 vulnerabilities
- CVE-2016-9842 — High (CVSS 8.8): The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact…
- CVE-2023-52810 — High (CVSS 8.4): In the Linux kernel, the following vulnerability has been resolved: fs/jfs: Add check for negative…
- CVE-2026-5072 — Medium (CVSS 6.5): A bitwise shift vulnerability in Zephyr's PTP subsystem allows a remote attacker to cause undefined behavior and…