CVE-2025-5918: Libarchive: reading past eof may be triggered for piped file streams
A vulnerability has been identified in the libarchive library. This flaw can be triggered when file streams are piped into bsdtar, potentially allowing for reading past the end of the file. This out-of-bounds read can lead to unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition.
Security readout for executives and security teams
Plain-English summary
CVE-2025-5918 is a low-severity libarchive flaw where piped input to bsdtar can make the program read past the end of a file. Business impact is mainly service disruption or limited unintended data exposure on affected Red Hat systems, not remote compromise based on the provided evidence.
Executive priority
Treat this as routine patch management, not emergency response. Prioritize affected shared Linux hosts, build systems, and automation that processes untrusted archives. Escalate only if Red Hat or libarchive publishes stronger impact evidence or exploitation activity.
Technical view
The issue is a CWE-125 out-of-bounds read in libarchive, triggered when file streams are piped into bsdtar. The CVSS 3.1 score is 3.9 with local attack vector, low complexity, low privileges, and user interaction required. Integrity impact is not indicated; confidentiality and availability impacts are low.
Likely exposure
Exposure is most likely on Red Hat Enterprise Linux 8, 9, 10, and OpenShift Container Platform 4/RHCOS systems using libarchive or bsdtar with piped archive streams. RHEL 6 and 7 status is listed as unknown in the supplied data.
Exploitation context
The source bundle does not show KEV listing or active exploitation. Abuse appears local and workflow-dependent, requiring low privileges and user interaction. Practical risk is higher where local users or automated jobs process untrusted piped archive data.
Researcher notes
Evidence supports an out-of-bounds read with local, low-privilege, user-interaction constraints. The affected list is Red Hat-focused and incomplete for other distributions. Do not assume broader product exposure or active exploitation without additional vendor confirmation.
Mitigation direction
Check Red Hat CVE guidance for affected package status and available updates.
Apply vendor-provided libarchive or RHCOS updates when released for your platform.
Review automation that pipes untrusted file streams into bsdtar.
Restrict local access to systems that process untrusted archive input.
Monitor libarchive PR 2584 and v3.8.0 release notes for fix context.
Validation and detection
Inventory RHEL 8, 9, 10, and OpenShift 4/RHCOS assets.
Check installed libarchive or RHCOS package versions against Red Hat guidance.
Identify jobs or scripts using bsdtar with piped input.
Confirm whether RHEL 6 or 7 exposure remains unknown for your estate.
Document compensating controls for systems awaiting vendor updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.