diff --git a/advisories/unreviewed/2026/07/GHSA-p59g-85vj-3mvf/GHSA-p59g-85vj-3mvf.json b/advisories/unreviewed/2026/07/GHSA-p59g-85vj-3mvf/GHSA-p59g-85vj-3mvf.json index c3bb65842083c..a10cdf5485063 100644 --- a/advisories/unreviewed/2026/07/GHSA-p59g-85vj-3mvf/GHSA-p59g-85vj-3mvf.json +++ b/advisories/unreviewed/2026/07/GHSA-p59g-85vj-3mvf/GHSA-p59g-85vj-3mvf.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-p59g-85vj-3mvf", - "modified": "2026-07-13T06:31:30Z", + "modified": "2026-07-13T15:32:45Z", "published": "2026-07-10T12:31:42Z", "aliases": [ "CVE-2026-15028" ], + "summary": "CVE-2026-15028 libarchive", "details": "A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX extended header containing a malformed SUN.holesdata sparse-file attribute. Successful exploitation could lead to a denial of service, making the system unavailable, or potentially allow for arbitrary code execution, giving the attacker control over the affected system.", "severity": [ { @@ -13,7 +14,24 @@ "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "libarchive" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", @@ -25,7 +43,7 @@ }, { "type": "WEB", - "url": "https://github.com/libarchive/libarchive/pull/3253" + "url": "https://github.com/libarchive/libarchive/pull/3252" }, { "type": "WEB", @@ -38,6 +56,10 @@ { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2497970" + }, + { + "type": "PACKAGE", + "url": "https://github.com/libarchive/libarchive" } ], "database_specific": {