CVE-2025-5914
CVE Details
Visit the official vulnerability details page for CVE-2025-5914 to learn more.
Initial Publication
06/10/2025
Last Update
09/02/2025
Third Party Dependency
libarchive
NIST CVE Summary
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
CVE Severity
Our Official Summary
An integer overflow vulnerability in the archive_read_format_rar_seek_data() function of the libarchive library (versions before 3.8.0) can result in a double‑free, potentially causing memory corruption. Exploitation may lead to denial of service or even arbitrary code execution. Double‑free vulnerabilities can lead to severe consequences such as process crashes, data corruption, or unauthorized code execution
This vulnerability is reported on harbor and multus containers. Unless you are using these components, this is not applicable.
- In the affected images, multiple security controls are already in place:
- The images are not accessible externally, limiting exposure.
- An attacker would require privileged access within the cluster to attempt exploitation.
The containers do not permit arbitrary code execution, further mitigating risk.
As a result, the practical impact of this vulnerability is low, with the containerized deployment model significantly reducing the overall attack surface.
Status
Open
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.16 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 08/18/2025 | Official summary revised: An integer overflow vulnerability in the archive_read_format_rar_seek_data() function of the libarchive library (versions before 3.8.0) can result in a double‑free, potentially causing memory corruption. Exploitation may lead to denial of service or even arbitrary code execution. Double‑free vulnerabilities can lead to severe consequences such as process crashes, data corruption, or unauthorized code executionThis vulnerability is reported on harbor and multus containers. Unless you are using these components, this is not applicable.- In the affected images, multiple security controls are already in place:- The images are not accessible externally, limiting exposure.- An attacker would require privileged access within the cluster to attempt exploitation.The containers do not permit arbitrary code execution, further mitigating risk.As a result, the practical impact of this vulnerability is low, with the containerized deployment model significantly reducing the overall attack surface. |
| 06/26/2025 | Official summary added |
| 06/21/2025 | Advisory severity revised to CRITICAL from LOW |