advisory-database/advisories/unreviewed/2026/04/GHSA-fjqv-vj6q-4fcm/GHSA-fjqv-vj6q-4fcm.json at 3cee012179b3482b1b50173953cbbc4c2ab24587 · github/advisory-database · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
{
  "schema_version": "1.4.0",
  "id": "GHSA-fjqv-vj6q-4fcm",
  "modified": "2026-04-07T18:31:45Z",
  "published": "2026-04-07T18:31:37Z",
  "aliases": [
    "CVE-2026-5745"
  ],
  "summary": "Non-exploitable code flaw in libarchive",
  "details": "A flaw was found in libarchive. A NULL pointer is incremented in the ACL parsing logic, specifically within the archive_acl_from_text_nl() function. When processing a malformed ACL string (such as a bare \"d\" or \"default\" tag without subsequent fields), the function fails to perform adequate validation before advancing the pointer. This is not exploitable, since the incremented pointer is not dereferenced.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": ""
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5745"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2026-5745"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455921"
    }
  ],
  "database_specific": {
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-07T16:16:32Z"
  }
}