CVE-2025-5914: Libarchive: double free at archive_read_format_rar_seek_data() in archive_read_support_format_rar.c
A vulnerability has been identified in the libarchive library, specifically within the archive_read_format_rar_seek_data() function. This flaw involves an integer overflow that can ultimately lead to a double-free condition. Exploiting a double-free vulnerability can result in memory corruption, enabling an attacker to execute arbitrary code or cause a denial-of-service condition.
Security readout for executives and security teams
Plain-English summary
This flaw is in libarchive’s RAR handling. A crafted RAR archive could trigger memory corruption through an integer overflow leading to double free, with possible code execution or denial of service. The source bundle lists affected Red Hat Enterprise Linux and OpenShift Container Platform releases.
Executive priority
Treat as high priority for Linux and OpenShift fleets that process external archives. The business risk is strongest for file intake, scanning, and extraction services where malicious content could cross trust boundaries.
Technical view
CVE-2025-5914 affects archive_read_format_rar_seek_data() in libarchive. The reported root issue is CWE-190 integer overflow, which can lead to double free and memory corruption. CVSS 3.1 is 7.8, local attack vector, low complexity, no privileges, user interaction required, with high confidentiality, integrity, and availability impact.
Likely exposure
Highest exposure is on affected Red Hat systems or OpenShift nodes where libarchive processes untrusted RAR archives, including upload, scanning, extraction, or content-ingestion workflows. Systems not handling RAR content are lower practical risk but still need package inventory review.
Exploitation context
The bundle does not show CISA KEV listing or other cited evidence of active exploitation. Exploitation requires a malicious archive to be processed locally or by a user-assisted workflow, not direct unauthenticated remote network access.
Researcher notes
Evidence is Red Hat-focused. The source bundle identifies many affected RHEL streams and OpenShift 4.14-4.16 rhcos builds, but does not provide exploit status, proof-of-concept details, or universal upstream fixed-version data. Avoid assuming non-Red Hat exposure without separate vendor confirmation.
Mitigation direction
Apply the relevant Red Hat RHSA updates for affected RHEL and OpenShift releases.
Prioritize systems that parse uploaded, emailed, or externally supplied RAR archives.
Temporarily restrict untrusted RAR processing where patching cannot happen quickly.
Check Red Hat advisories for exact fixed package and rhcos release guidance.
Validation and detection
Inventory installed libarchive package versions across RHEL and OpenShift assets.
Map exposed archive-processing workflows that accept RAR files from untrusted sources.
Confirm affected versions match Red Hat’s listed vulnerable package builds.
Verify updated systems report vendor-fixed libarchive or rhcos package versions.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-190: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-190 · source CWE mapping
Integer Overflow or Wraparound
Integer Overflow or Wraparound represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.