CVE Vulnerabilities

CVE-2025-25724

Unchecked Return Value

Published: Mar 02, 2025 | Modified: Jul 17, 2025
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
4 MODERATE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Ubuntu
MEDIUM

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Weakness

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

Affected Software

Name Vendor Start Version End Version
Libarchive Libarchive * 3.7.7 (including)
Red Hat Enterprise Linux 10 RedHat libarchive-0:3.7.7-3.el10_0 *
Red Hat Enterprise Linux 9 RedHat libarchive-0:3.5.3-5.el9_6 *
Red Hat Enterprise Linux 9 RedHat libarchive-0:3.5.3-5.el9_6 *
Red Hat Discovery 2 RedHat registry.redhat.io/discovery/discovery-server-rhel9:sha256:bd9cb502def3153c193713b56372694cb555a71b38d4fc0fd9d021bccc5602de *
Libarchive Ubuntu devel *
Libarchive Ubuntu focal *
Libarchive Ubuntu jammy *
Libarchive Ubuntu noble *
Libarchive Ubuntu oracular *
Libarchive Ubuntu plucky *

Potential Mitigations

References