AI Threat Alert
CVE-2026-5121: libarchive: integer overflow in zisofs hits vllm containers
HIGHA heap buffer overflow in libarchive's zisofs block pointer allocation, triggered by a malicious ISO9660 image, exposes systems running Red Hat's vllm inference containers to potential information disclosure and, per vendor advisories, possible arbitrary code execution — though the CVSS scoring (C:H/I:N/A:N, 7.5) reflects a conservative read focused on confidentiality impact rather than confirmed RCE. The critical constraint is architecture: exploitation requires a 32-bit host, and virtually no production AI inference infrastructure operates on 32-bit hardware, which substantially reduces real-world exposure for most organizations running GPU-based LLM serving. With no public exploit, no CISA KEV listing, and 10 Red Hat errata already published (RHSA-2026:10065 through RHSA-2026:16008), urgency is moderated — vllm container operators on RHEL 9 should apply the errata on normal patch cadence and confirm their inference hosts are 64-bit.
What is the risk?
MEDIUM — The 7.5 CVSS score and network-exploitable, zero-interaction attack vector are concerning on paper, but the 32-bit architecture requirement is a hard constraint that eliminates virtually all modern AI inference deployments. GPU nodes, cloud instances, and HPC clusters are uniformly 64-bit, making this largely theoretical for current LLM serving infrastructure. The primary residual risk is legacy or embedded 32-bit Linux environments where libarchive processes untrusted archive inputs adjacent to AI pipelines, or build/CI systems where container layers are extracted on mixed-architecture hosts. Red Hat's rapid response with 10 errata advisories signals active vendor attention and available remediation.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| vLLM | pip | — | No patch |
| vLLM | pip | — | No patch |
| vLLM | pip | — | No patch |
| vLLM | pip | — | No patch |
| discovery/discovery-ui-rhel9 | — | — | No patch |
| insights-proxy/insights-proxy-container-rhel9 | — | — | No patch |
| libarchive | — | — | No patch |
| libarchive-main | — | — | No patch |
| rhaiis/model-opt-cuda-rhel9 | — | — | No patch |
| rhcos | — | — | No patch |
| rhpam-7/rhpam-businesscentral-monitoring-rhel8 | — | — | No patch |
| rhpam-7/rhpam-businesscentral-rhel8 | — | — | No patch |
| rhpam-7/rhpam-controller-rhel8 | — | — | No patch |
| rhpam-7/rhpam-dashbuilder-rhel8 | — | — | No patch |
| rhpam-7/rhpam-kieserver-rhel8 | — | — | No patch |
| rhpam-7/rhpam-process-migration-rhel8 | — | — | No patch |
| rhpam-7/rhpam-smartrouter-rhel8 | — | — | No patch |
| rhui5/cds-kubernetes-tp-rhel9 | — | — | No patch |
| rhui5/cds-rhel9 | — | — | No patch |
| rhui5/haproxy-rhel9 | — | — | No patch |
| rhui5/installer-rhel9 | — | — | No patch |
| rhui5/installer-tp-rhel9 | — | — | No patch |
| rhui5/rhua-rhel9 | — | — | No patch |
| rhui5/rhua-tp-rhel9 | — | — | No patch |
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Confirm all hosts running vllm or affected containers are 64-bit (run 'uname -m' — x86_64 or aarch64 means you are not vulnerable to this specific flaw).
-
Apply all applicable Red Hat errata: RHSA-2026:10065, :10097, :11768, :12071, :12274, :13812, :14773, :14937, :15087, :16008.
-
Pull updated vllm container images from Red Hat registry and verify image digests post-update.
-
Restrict any service that invokes libarchive to process ISO9660 or zisofs archives from sources you do not control — network-accessible archive extraction endpoints are the primary exposure surface.
-
No public exploit or Nuclei scanner template exists; standard patch-cycle urgency applies rather than emergency response.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-5121?
A heap buffer overflow in libarchive's zisofs block pointer allocation, triggered by a malicious ISO9660 image, exposes systems running Red Hat's vllm inference containers to potential information disclosure and, per vendor advisories, possible arbitrary code execution — though the CVSS scoring (C:H/I:N/A:N, 7.5) reflects a conservative read focused on confidentiality impact rather than confirmed RCE. The critical constraint is architecture: exploitation requires a 32-bit host, and virtually no production AI inference infrastructure operates on 32-bit hardware, which substantially reduces real-world exposure for most organizations running GPU-based LLM serving. With no public exploit, no CISA KEV listing, and 10 Red Hat errata already published (RHSA-2026:10065 through RHSA-2026:16008), urgency is moderated — vllm container operators on RHEL 9 should apply the errata on normal patch cadence and confirm their inference hosts are 64-bit.
Is CVE-2026-5121 actively exploited?
No confirmed active exploitation of CVE-2026-5121 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-5121?
1. Confirm all hosts running vllm or affected containers are 64-bit (run 'uname -m' — x86_64 or aarch64 means you are not vulnerable to this specific flaw). 2. Apply all applicable Red Hat errata: RHSA-2026:10065, :10097, :11768, :12071, :12274, :13812, :14773, :14937, :15087, :16008. 3. Pull updated vllm container images from Red Hat registry and verify image digests post-update. 4. Restrict any service that invokes libarchive to process ISO9660 or zisofs archives from sources you do not control — network-accessible archive extraction endpoints are the primary exposure surface. 5. No public exploit or Nuclei scanner template exists; standard patch-cycle urgency applies rather than emergency response.
What systems are affected by CVE-2026-5121?
This vulnerability affects the following AI/ML architecture patterns: model serving, LLM inference infrastructure, containerized AI workloads.
What is the CVSS score for CVE-2026-5121?
CVE-2026-5121 has a CVSS v3.1 base score of 7.5 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0049 Exploit Public-Facing Application AML.T0112 Machine Compromise Compliance Controls Affected
What are the technical details?
Original Advisory
A flaw was found in libarchive. On 32-bit systems, an integer overflow vulnerability exists in the zisofs block pointer allocation logic. A remote attacker can exploit this by providing a specially crafted ISO9660 image, which can lead to a heap buffer overflow. This could potentially allow for arbitrary code execution on the affected system.
Exploitation Scenario
An adversary targeting an LLM inference environment built on Red Hat vllm containers running on a 32-bit RHEL 9 host — a rare but non-zero scenario in edge or embedded AI deployments — stages a specially crafted ISO9660 image with a malformed zisofs block pointer table designed to trigger an integer overflow during allocation. The image is delivered via a poisoned container registry layer, a shared NFS mount, or a crafted model artifact archive that the vllm host extracts at runtime. When libarchive processes the image, the integer overflow produces a heap buffer smaller than needed, and subsequent writes overflow into adjacent allocations. Depending on heap layout, the adversary reads memory adjacent to the overflowed buffer, potentially extracting API tokens, system prompt data, or partial model weights from the co-located vllm inference process — consistent with the C:H CVSS scoring.
Weaknesses (CWE)
CWE-190 — Integer Overflow or Wraparound: The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
- [Requirements] Ensure that all protocols are strictly defined, such that all out-of-bounds behavior can be identified simply, and require strict conformance to the protocol.
- [Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. If possible, choose a language or compiler that performs automatic bounds checking.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N References
- access.redhat.com/errata/RHSA-2026:10065 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:10097 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:11768 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:12071 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:12274 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:13812 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:14773 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:14937 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:15087 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:16008 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:16009 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:16030 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:16174 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:17596 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:19724 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:19725 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:20040 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:21690 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:25096 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8510 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8517 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8521 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8534 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8864 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8866 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8867 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8873 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8908 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:8944 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:9026 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:9592 vendor-advisory x_refsource_REDHAT
- access.redhat.com/errata/RHSA-2026:9832 vendor-advisory x_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2026-5121 vdb-entry x_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgi issue-tracking x_refsource_REDHAT
- github.com/advisories/GHSA-2vwv-vqpv-v8vc
- github.com/libarchive/libarchive/pull/2934
Timeline
Related Vulnerabilities
CVE-2024-9053 9.8 vllm: RCE via unsafe pickle deserialization in RPC server
Same package: vllm CVE-2026-25960 9.8 vllm: SSRF allows internal network access
Same package: vllm CVE-2025-47277 9.8 vLLM: RCE via exposed TCPStore in distributed inference
Same package: vllm CVE-2024-11041 9.8 vllm: RCE via unsafe pickle deserialization in MessageQueue
Same package: vllm CVE-2025-32444 9.8 vLLM: RCE via pickle deserialization on ZeroMQ
Same package: vllm