CVE-2024-48615
Published: 28 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-48615 is a Null Pointer Dereference vulnerability (CWE-476) in libarchive versions 3.7.6 and earlier. The flaw manifests when running the bsdtar program, specifically in the header_pax_extension function located at archive_read_support_format_tar.c:1844:8.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges required, and no user interaction needed. Remote attackers can trigger a denial-of-service condition with high availability impact, such as causing application crashes through malformed inputs.
References point to a GitHub crash-test repository demonstrating the issue and the source release tarball for libarchive 3.7.6, but no explicit advisories or patch details are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Null pointer dereference in libarchive's bsdtar causes segmentation fault/crash when extracting crafted TAR archive, enabling endpoint DoS via application exploitation.