AI Threat Alert

CVE-2026-4424: libarchive: RAR heap OOB read leaks memory in vLLM stacks

HIGH
Published March 19, 2026
CISO Take

A heap out-of-bounds read in libarchive (CWE-125) can be triggered remotely without authentication or user interaction by submitting a crafted RAR archive with an invalid LZSS sliding window size, causing the library to return adjacent heap contents to the attacker. The direct AI relevance is that Red Hat's official vLLM inference container images — cuda, rocm, and spyre variants deployed in GPU inference clusters — bundle a vulnerable libarchive build, meaning any endpoint within those containers that processes archive inputs exposes heap-resident data that may include in-flight user prompts, model shards, or runtime API credentials. While no public exploit exists and CISA has not added this to KEV, the CVSS 7.5 score reflects a fully remote, zero-auth, zero-interaction path, and libarchive's history of 53 CVEs signals a persistently troubled dependency. Teams running RHAIIS vLLM containers should apply the ten Red Hat advisories (RHSA-2026:10065 through RHSA-2026:16008) and audit whether any inference endpoints accept archive inputs.

Sources: NVD CISA KEV ATLAS access.redhat.com

What is the risk?

CVSS 7.5 (High) with AV:N/AC:L/PR:N/UI:N represents a low-friction exploitation path, though the impact is confidentiality-only — no code execution and no availability impact moderate the acute operational risk. The absence of a public exploit and exclusion from CISA KEV suggest active exploitation is unlikely in the near term. However, for organizations running Red Hat vLLM containers in multi-tenant GPU inference environments, heap memory disclosure carries a disproportionate secondary risk: the heap in an active inference process may contain cross-tenant prompt data, decrypted API keys for downstream model endpoints, or loaded model weight pages. With 130 downstream dependents and 53 historical CVEs in libarchive, patch latency in this dependency is a documented operational pattern that raises the residual exposure window.

How does the attack unfold?

Endpoint Discovery
Adversary actively scans or probes the target organization's AI infrastructure to identify vLLM inference service endpoints that accept file or archive inputs.
AML.T0006
Malicious Archive Delivery
Attacker crafts a RAR archive with specially constructed LZSS-to-uncompressed method transitions that produce an invalid sliding window size and submits it to the exposed inference endpoint.
AML.T0049
Heap OOB Read Trigger
libarchive processes the malicious archive and reads beyond the allocated decompression buffer due to improper window size validation after the compression method transition.
AML.T0106
Heap Memory Exfiltration
Adjacent heap memory containing in-flight user prompts, API credentials, or model activation data is disclosed to the attacker through the out-of-bounds read result.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
vLLM pip No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM pip No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
vLLM pip No patch
82.1K 130 dependents Pushed 5d ago 42% patched ~32d to patch Full package profile →
discovery/discovery-server-rhel9 No patch
discovery/discovery-ui-rhel9 No patch
insights-proxy/insights-proxy-container-rhel9 No patch
libarchive No patch
libarchive-main No patch
rhaiis/model-opt-cuda-rhel9 No patch
rhcos No patch
rhpam-7/rhpam-businesscentral-monitoring-rhel8 No patch
rhpam-7/rhpam-businesscentral-rhel8 No patch
rhpam-7/rhpam-controller-rhel8 No patch
rhpam-7/rhpam-dashbuilder-rhel8 No patch
rhpam-7/rhpam-kieserver-rhel8 No patch
rhpam-7/rhpam-process-migration-rhel8 No patch
rhpam-7/rhpam-smartrouter-rhel8 No patch
rhui5/cds-kubernetes-tp-rhel9 No patch
rhui5/cds-rhel9 No patch
rhui5/haproxy-rhel9 No patch
rhui5/installer-rhel9 No patch
rhui5/installer-tp-rhel9 No patch
rhui5/rhua-rhel9 No patch
rhui5/rhua-tp-rhel9 No patch

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps

  1. Apply all available Red Hat Security Advisories immediately: RHSA-2026:10065, RHSA-2026:10097, RHSA-2026:11768, RHSA-2026:12071, RHSA-2026:12274, RHSA-2026:13812, RHSA-2026:14773, RHSA-2026:14937, RHSA-2026:15087, RHSA-2026:16008 — these patch the affected rhaiis/vllm-* container images and libarchive-main.

  2. If immediate container image updates are not feasible, disable or block any RAR archive processing at the inference service layer or via ingress WAF/API gateway rules.

  3. Implement container-level memory isolation (seccomp profiles, cgroup memory namespacing) to reduce cross-tenant heap data exposure in multi-tenant inference deployments.

  4. Deploy runtime container security tooling (Falco, Tetragon) to alert on unexpected archive file processing within vLLM container processes.

  5. Audit and rotate any secrets, API keys, or credentials that were in-memory in affected containers during the exposure window if exploitation cannot be ruled out.

How is it classified?

Data Extraction Supply Chain Inference AML.T0010.001 AML.T0025 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - AI system risk management — third-party component controls
NIST AI RMF
MANAGE-2.2 - Mechanisms for managing identified AI risks
OWASP LLM Top 10
LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-4424?

A heap out-of-bounds read in libarchive (CWE-125) can be triggered remotely without authentication or user interaction by submitting a crafted RAR archive with an invalid LZSS sliding window size, causing the library to return adjacent heap contents to the attacker. The direct AI relevance is that Red Hat's official vLLM inference container images — cuda, rocm, and spyre variants deployed in GPU inference clusters — bundle a vulnerable libarchive build, meaning any endpoint within those containers that processes archive inputs exposes heap-resident data that may include in-flight user prompts, model shards, or runtime API credentials. While no public exploit exists and CISA has not added this to KEV, the CVSS 7.5 score reflects a fully remote, zero-auth, zero-interaction path, and libarchive's history of 53 CVEs signals a persistently troubled dependency. Teams running RHAIIS vLLM containers should apply the ten Red Hat advisories (RHSA-2026:10065 through RHSA-2026:16008) and audit whether any inference endpoints accept archive inputs.

Is CVE-2026-4424 actively exploited?

No confirmed active exploitation of CVE-2026-4424 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-4424?

1. Apply all available Red Hat Security Advisories immediately: RHSA-2026:10065, RHSA-2026:10097, RHSA-2026:11768, RHSA-2026:12071, RHSA-2026:12274, RHSA-2026:13812, RHSA-2026:14773, RHSA-2026:14937, RHSA-2026:15087, RHSA-2026:16008 — these patch the affected rhaiis/vllm-* container images and libarchive-main. 2. If immediate container image updates are not feasible, disable or block any RAR archive processing at the inference service layer or via ingress WAF/API gateway rules. 3. Implement container-level memory isolation (seccomp profiles, cgroup memory namespacing) to reduce cross-tenant heap data exposure in multi-tenant inference deployments. 4. Deploy runtime container security tooling (Falco, Tetragon) to alert on unexpected archive file processing within vLLM container processes. 5. Audit and rotate any secrets, API keys, or credentials that were in-memory in affected containers during the exposure window if exploitation cannot be ruled out.

What systems are affected by CVE-2026-4424?

This vulnerability affects the following AI/ML architecture patterns: LLM inference servers, container-based AI deployments, model serving platforms, multi-tenant GPU inference clusters.

What is the CVSS score for CVE-2026-4424?

CVE-2026-4424 has a CVSS v3.1 base score of 7.5 (HIGH).

What is the AI security impact?

Affected AI Architectures

LLM inference serverscontainer-based AI deploymentsmodel serving platformsmulti-tenant GPU inference clusters

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

A flaw was found in libarchive. This heap out-of-bounds read vulnerability exists in the RAR archive processing logic due to improper validation of the LZSS sliding window size after transitions between compression methods. A remote attacker can exploit this by providing a specially crafted RAR archive, leading to the disclosure of sensitive heap memory information without requiring authentication or user interaction.

Exploitation Scenario

An attacker targeting an enterprise running Red Hat vLLM inference containers crafts a malicious RAR archive containing transitions between LZSS-compressed and uncompressed blocks that produce an invalid sliding window size. The archive is submitted to a publicly accessible endpoint — a document-to-embedding preprocessing API, a model fine-tuning data ingestion interface, or a general file-upload facility — running within the vLLM container. When libarchive processes the archive, it reads beyond the decompression buffer boundary and surfaces heap-adjacent memory through returned data, error output, or observable timing differences. In a shared GPU inference server where multiple tenant sessions run concurrently, the attacker may recover prompt history from other users, bearer tokens for downstream model APIs, or partial activation data from adjacent inference threads — all without holding any prior credentials or triggering user interaction.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
March 19, 2026
Last Modified
June 10, 2026
First Seen
June 12, 2026

Related Vulnerabilities

CRITICAL CVE-2024-9053 9.8

vllm: RCE via unsafe pickle deserialization in RPC server

Same package: vllm
CRITICAL CVE-2024-11041 9.8

vllm: RCE via unsafe pickle deserialization in MessageQueue

Same package: vllm
CRITICAL CVE-2025-47277 9.8

vLLM: RCE via exposed TCPStore in distributed inference

Same package: vllm
CRITICAL CVE-2026-25960 9.8

vllm: SSRF allows internal network access

Same package: vllm
CRITICAL CVE-2025-32444 9.8

vLLM: RCE via pickle deserialization on ZeroMQ

Same package: vllm
Back to Threat Feed