Vulnerabilities
Misconfiguration
Compliance
CVE Vulnerabilities

CVE-2026-4426

Incorrect Bitwise Shift of Integer

Published: Mar 19, 2026 | Modified: May 03, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.5 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
Vulnerability-free packages from our partners
root.io logo minimus.io logo echo.ai logo
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-4426
CWEhttps://cwe.mitre.org/data/definitions/1335.html

A flaw was found in libarchive. An Undefined Behavior vulnerability exists in the zisofs decompression logic, caused by improper validation of a field (pz_log2_bs) read from ISO9660 Rock Ridge extensions. A remote attacker can exploit this by supplying a specially crafted ISO file. This can lead to incorrect memory allocation and potential application crashes, resulting in a denial-of-service (DoS) condition.

Weakness

An integer value is specified to be shifted by a negative amount or an amount greater than or equal to the number of bits contained in the value causing an unexpected or indeterminate result.

Affected Software

NameVendorStart VersionEnd Version
LibarchiveLibarchive- (including)- (including)
Hardened_imagesRedhat- (including)- (including)
Openshift_container_platformRedhat4.0 (including)4.0 (including)
Enterprise_linuxRedhat6.0 (including)6.0 (including)
Enterprise_linuxRedhat7.0 (including)7.0 (including)
Enterprise_linuxRedhat8.0 (including)8.0 (including)
Enterprise_linuxRedhat9.0 (including)9.0 (including)
Enterprise_linuxRedhat10.0 (including)10.0 (including)
Red Hat Hardened ImagesRedHatlibarchive-main-3.8.7-1.hum1*
LibarchiveUbuntudevel*
LibarchiveUbuntuesm-infra-legacy/trusty*
LibarchiveUbuntuesm-infra-legacy/xenial*
LibarchiveUbuntuesm-infra/bionic*
LibarchiveUbuntuesm-infra/focal*
LibarchiveUbuntuesm-infra/xenial*
LibarchiveUbuntujammy*
LibarchiveUbuntunoble*
LibarchiveUbuntuquesting*
LibarchiveUbunturesolute*

Extended Description

Specifying a value to be shifted by a negative amount is undefined in various languages. Various computer architectures implement this action in different ways. The compilers and interpreters when generating code to accomplish a shift generally do not do a check for this issue. Specifying an over-shift, a shift greater than or equal to the number of bits contained in a value to be shifted, produces a result which varies by architecture and compiler. In some languages, this action is specifically listed as producing an undefined result.

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2026 Aqua Security Software Ltd.   Privacy Policy | Terms of Use