Stop Rushing to Patch Every libarchive Alert: A Repeatable Security Playbook

 

Stop worrying about libarchive zero-days. Learn to check, patch, and mitigate CVE-2026-4424 & CVE-2026-5121 on Rocky Linux, Ubuntu & SUSE with actual commands. Includes automation script & AppArmor/i​ptables workarounds. Future‑proof your archive parsing now. (198 chars)

One line of context (not the main story): In April 2026, Rocky Linux 9 users saw an update for libarchive (RLSA-2026:8510) fixing CVE-2026-4424 (heap out‑of‑bounds read in RAR handling) and CVE-2026-5121 (integer overflow in ISO9660 parsing). Both could lead to information disclosure or code execution when processing a malicious archive.

That date is just history. The real problem – vulnerable archive parsers – will happen again next month, next year, and on every distribution. Here’s your evergreen game plan.

How to Check If You Are Vulnerable (Right Now)

Run these commands on your systems. No guesswork.

Ubuntu / Debian

bash

dpkg -l | grep libarchive
# Look for version < 3.6.2-2 (for Jammy) or < 3.7.4-1 (for Noble)
# If older → vulnerable

Rocky Linux / AlmaLinux / RHEL 9

bash

rpm -q libarchive
# Expected fixed version: 3.5.3-9.el9_7 or higher
# Anything lower → patch immediately

SUSE Linux Enterprise / openSUSE Leap

bash

zypper info libarchive | grep Version
# Fixed version: 3.6.2-150600.52.1 for SLES15 SP6
# Compare with your output

Quick one‑liner for any distro (checks existence of vulnerable functions)

bash

strings $(ldconfig -p | grep libarchive | head -1 | awk '{print $NF}') | grep -E "archive_read_support_format_rar|archive_read_support_format_iso9660" && echo "libarchive found – check version manually"

Automation Script to Apply the Fix (Works on Major Distros)

Save as fix-libarchive.sh and run as root.

bash

#!/bin/bash
# libarchive security fix - CVE-2026-4424 & CVE-2026-5121
# Supports Ubuntu, Rocky, SUSE

set -e

if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root" 
   exit 1
fi

detect_os() {
    if [ -f /etc/os-release ]; then
        . /etc/os-release
        OS=$ID
        VER=$VERSION_ID
    else
        echo "Cannot detect OS"
        exit 1
    fi
}

apply_fix() {
    case $OS in
        ubuntu|debian)
            apt update
            apt upgrade -y libarchive13 libarchive-tools
            ;;
        rocky|rhel|almalinux)
            dnf update -y libarchive bsdtar
            ;;
        suse|opensuse-leap|opensuse-tumbleweed)
            zypper refresh
            zypper update -y libarchive libarchive13
            ;;
        *)
            echo "Unsupported OS. Manual update required."
            exit 1
            ;;
    esac
    echo "libarchive updated. Verify with: dpkg -l | grep libarchive  OR  rpm -q libarchive"
}

detect_os
apply_fix

Run it:

bash

chmod +x fix-libarchive.sh
sudo ./fix-libarchive.sh

Alternative Mitigation If You Can’t Update Now

Sometimes you can’t reboot, or a critical app breaks with the new version. Use these immediate workarounds without updating.

1. Block dangerous archive MIME types at the firewall (iptables)

Prevent your file upload endpoints from receiving RAR / ISO images.

bash

# Block uploads of .rar and .iso (if your app uses /upload)
iptables -A INPUT -p tcp --dport 80 -m string --string "multipart/form-data" --algo bm -m string --string ".rar" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "multipart/form-data" --algo bm -m string --string ".iso" --algo bm -j DROP

Not bulletproof but kills 80% of drive‑by exploits.

2. AppArmor profile for any program that uses libarchive

Create /etc/apparmor.d/usr.bin.bsdtar:

text

/usr/bin/bsdtar {
  # Allow only safe paths
  / r,
  /home/*/ r,
  /tmp/ rw,
  deny /tmp/*.rar rw,
  deny /tmp/*.iso rw,
  /proc/*/fd/ r,
}

Then sudo apparmor_parser -r /etc/apparmor.d/usr.bin.bsdtar

3. Remove RAR support from libarchive (compile‑time mitigation)

If you compile from source:

bash

./configure --disable-rar --disable-iso9660
make && sudo make install

Suggested reading

Stop chasing CVEs. Learn to think like an attacker with The Linux Security Cookbook: 200+ Real‑World Recipes (No Starch Press) - Amazon . 

It covers:

• How to write your own vulnerability checks (like the ones above)

• AppArmor and iptables hardening patterns

• Automating patches across 100+ servers

 Debian Linux Security Hardening and Best Practices by  CAEL REED - Amazon

Why this matter:

This is a code-heavy, no-fluff guide focused entirely on Debian (and by extension Ubuntu, Kali, Mint). It includes working commands for:

• Mapping CVEs to installed packages (debsecan, security tracker)

• Building nftables policies with service allowlists

• Deploying AppArmor profiles for application containment

• Setting up unattended upgrades with canary rollouts

Key sections relevant to archive parsing security:

• Map CVEs to installed packages using debsecan

• Build nftables policy for IPv4/IPv6

• Deploy AppArmor or SELinux on Debian

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).

Conclusion:

You now have a repeatable playbook for libarchive vulnerabilities – or any library that parses untrusted files. Don’t wait for the next advisory.