CVE-2026-4111: vLLM infinite loop DoS

CISO Take

CVE-2026-4111 is a CWE-835 infinite loop vulnerability in libarchive's RAR5 decompression path that allows a remote, unauthenticated attacker to permanently saturate CPU resources by submitting a single crafted archive — no credentials, no user interaction required. The critical AI angle is that Red Hat AI Infrastructure Services containers shipping vLLM (vllm-cuda-rhel9, vllm-rocm-rhel9, vllm-spyre-rhel9) are explicitly listed as affected, meaning production LLM inference endpoints that accept file uploads or process archived model artifacts are directly in scope across 130 downstream dependents. While no public exploit or CISA KEV listing exists today, the CVSS 7.5 network-accessible vector with zero prerequisites makes weaponization trivial once proof-of-concept code surfaces. Immediately apply the available Red Hat advisories (RHSA-2026:10065 through RHSA-2026:25096), enforce RAR5 content filtering at API gateways fronting AI services, and set hard CPU limits on vLLM containers to contain blast radius.

Sources: NVD CISA KEV ATLAS

What is the risk?

Risk is HIGH for organizations running vLLM or any libarchive-backed service that accepts user-submitted archives. The CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/A:H) reflects a zero-barrier network path with no authentication or user interaction required — ideal conditions for automated, low-cost DoS campaigns. The 53 prior CVEs in libarchive and a package risk score of 61/100 indicate a historically vulnerability-dense component with ongoing exposure. Absence from CISA KEV and no public exploit moderates immediate urgency, but the trivial exploitation complexity compresses the window before weaponization. For AI inference infrastructure specifically, availability is a revenue-critical property: a sustained DoS event against a vLLM node directly translates to inference service outage for downstream users and applications.

How does the attack unfold?

Craft Malicious Archive

Attacker constructs a RAR5 archive that passes libarchive checksum validation but encodes a decompression state path that triggers an unreachable loop exit condition in archive_read_data().

AML.T0016.001

Submit to AI Endpoint

Attacker uploads the crafted archive to a vLLM inference API or model registry endpoint that accepts compressed file inputs, requiring no authentication or elevated privileges.

AML.T0049

CPU Exhaustion

libarchive enters an infinite loop consuming 100% of one CPU core per concurrent request; multiple simultaneous submissions saturate all available threads on the inference node.

AML.T0034.001

Inference Service DoS

The vLLM server becomes unresponsive to all legitimate inference requests with persistent timeouts until an operator kills and restarts the affected container.

AML.T0029

Craft Malicious Archive

Attacker constructs a RAR5 archive that passes libarchive checksum validation but encodes a decompression state path that triggers an unreachable loop exit condition in archive_read_data().

AML.T0016.001

Submit to AI Endpoint

Attacker uploads the crafted archive to a vLLM inference API or model registry endpoint that accepts compressed file inputs, requiring no authentication or elevated privileges.

AML.T0049

CPU Exhaustion

libarchive enters an infinite loop consuming 100% of one CPU core per concurrent request; multiple simultaneous submissions saturate all available threads on the inference node.

AML.T0034.001

Inference Service DoS

The vLLM server becomes unresponsive to all legitimate inference requests with persistent timeouts until an operator kills and restarts the affected container.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM	pip	—	No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
discovery/discovery-server-rhel9	—	—	No patch
discovery/discovery-ui-rhel9	—	—	No patch
insights-proxy/insights-proxy-container-rhel9	—	—	No patch
libarchive	—	—	No patch
libarchive-main	—	—	No patch
rhaiis/model-opt-cuda-rhel9	—	—	No patch
rhcos	—	—	No patch
rhui5/cds-rhel9	—	—	No patch
rhui5/haproxy-rhel9	—	—	No patch
rhui5/installer-rhel9	—	—	No patch
rhui5/rhua-rhel9	—	—	No patch

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch immediately: Apply Red Hat advisories RHSA-2026:10065, RHSA-2026:10081, RHSA-2026:10097, RHSA-2026:14773, RHSA-2026:15087, RHSA-2026:16008, RHSA-2026:16009, RHSA-2026:16174, RHSA-2026:17596, and RHSA-2026:25096 covering affected RHAIIS and libarchive packages.
Workaround: Block or sandbox RAR5 archive uploads at the API gateway or load balancer layer before content reaches any libarchive-backed service; reject Content-Type and magic-byte signatures for RAR5.
Container hardening: Apply CPU limits (e.g., Docker --cpus or Kubernetes resource.limits.cpu) on all vLLM containers so an infinite loop cannot starve adjacent workloads or saturate the node.
Detection: Alert on sustained single-thread CPU utilization above 90% on inference nodes lasting more than 60 seconds, which is a reliable indicator of an active infinite loop.
Inventory: Enumerate all services and pipelines using libarchive — model registries, dataset ingestion services, file processors — beyond the listed RHAIIS containers to identify additional exposure.

How is it classified?

DoS Supply Chain Inference Framework AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0034.001 - Resource-Intensive Queries AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.2 - AI system operational security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-4111?

CVE-2026-4111 is a CWE-835 infinite loop vulnerability in libarchive's RAR5 decompression path that allows a remote, unauthenticated attacker to permanently saturate CPU resources by submitting a single crafted archive — no credentials, no user interaction required. The critical AI angle is that Red Hat AI Infrastructure Services containers shipping vLLM (vllm-cuda-rhel9, vllm-rocm-rhel9, vllm-spyre-rhel9) are explicitly listed as affected, meaning production LLM inference endpoints that accept file uploads or process archived model artifacts are directly in scope across 130 downstream dependents. While no public exploit or CISA KEV listing exists today, the CVSS 7.5 network-accessible vector with zero prerequisites makes weaponization trivial once proof-of-concept code surfaces. Immediately apply the available Red Hat advisories (RHSA-2026:10065 through RHSA-2026:25096), enforce RAR5 content filtering at API gateways fronting AI services, and set hard CPU limits on vLLM containers to contain blast radius.

Is CVE-2026-4111 actively exploited?

No confirmed active exploitation of CVE-2026-4111 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4111?

1. Patch immediately: Apply Red Hat advisories RHSA-2026:10065, RHSA-2026:10081, RHSA-2026:10097, RHSA-2026:14773, RHSA-2026:15087, RHSA-2026:16008, RHSA-2026:16009, RHSA-2026:16174, RHSA-2026:17596, and RHSA-2026:25096 covering affected RHAIIS and libarchive packages. 2. Workaround: Block or sandbox RAR5 archive uploads at the API gateway or load balancer layer before content reaches any libarchive-backed service; reject Content-Type and magic-byte signatures for RAR5. 3. Container hardening: Apply CPU limits (e.g., Docker --cpus or Kubernetes resource.limits.cpu) on all vLLM containers so an infinite loop cannot starve adjacent workloads or saturate the node. 4. Detection: Alert on sustained single-thread CPU utilization above 90% on inference nodes lasting more than 60 seconds, which is a reliable indicator of an active infinite loop. 5. Inventory: Enumerate all services and pipelines using libarchive — model registries, dataset ingestion services, file processors — beyond the listed RHAIIS containers to identify additional exposure.

What systems are affected by CVE-2026-4111?

This vulnerability affects the following AI/ML architecture patterns: LLM inference serving (vLLM), Containerized AI serving infrastructure, Model artifact ingestion pipelines, Dataset ingestion and preprocessing pipelines, AI model registries.

What is the CVSS score for CVE-2026-4111?

CVE-2026-4111 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

LLM inference serving (vLLM)Containerized AI serving infrastructureModel artifact ingestion pipelinesDataset ingestion and preprocessing pipelinesAI model registries

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0034.001 Resource-Intensive Queries

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

A flaw was identified in the RAR5 archive decompression logic of the libarchive library, specifically within the archive_read_data() processing path. When a specially crafted RAR5 archive is processed, the decompression routine may enter a state where internal logic prevents forward progress. This condition results in an infinite loop that continuously consumes CPU resources. Because the archive passes checksum validation and appears structurally valid, affected applications cannot detect the issue before processing. This can allow attackers to cause persistent denial-of-service conditions in services that automatically process archives.

Exploitation Scenario

An adversary targeting an organization's vLLM inference deployment identifies that the API accepts compressed model weight files or dataset uploads — a common pattern in fine-tuning APIs and model registries. Using freely available archive manipulation tools, the attacker crafts a RAR5 file that passes libarchive's checksum validation but encodes a decompression state that cycles indefinitely inside archive_read_data(). The attacker submits the archive via the public API endpoint, requiring no credentials. The libarchive worker thread enters an infinite loop consuming one full CPU core; by submitting a small number of concurrent requests the attacker saturates all available inference threads. The vLLM server stops responding to legitimate inference calls, returning timeouts and 503 errors to all clients. Recovery requires an operator to identify the stuck process, kill it, and restart the container — during which time the inference service is completely unavailable. The attacker can sustain the outage indefinitely by re-submitting archives faster than the operator can respond.

Weaknesses (CWE)

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835 — Loop with Unreachable Exit Condition ('Infinite Loop'): The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Source: MITRE CWE corpus.