This vulnerability in libarchive affects the RAR archive decompression functionality by allowing a heap out-of-bounds read due to improper validation of the LZSS sliding window size after transitions between compression methods. Exploitation requires a specially crafted RAR archive and can lead to information disclosure of heap memory contents. The flaw does not require authentication or user interaction and is remotely exploitable. Red Hat has acknowledged this issue (CVE-2026-4424) and issued security advisories with fixes included in updated packages and container images, notably in Red Hat OpenShift Container Platform 4.16.60 and Red Hat Enterprise Linux 10 updates. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high impact on confidentiality without affecting integrity or availability.

Successful exploitation of this vulnerability allows a remote attacker to read sensitive heap memory information from a system running vulnerable versions of libarchive on Red Hat Enterprise Linux 10. This can lead to disclosure of sensitive data, potentially aiding further attacks. There is no impact on integrity or availability. No known exploits in the wild have been reported at this time.

Red Hat has released security updates addressing CVE-2026-4424. Users of Red Hat Enterprise Linux 10 and Red Hat OpenShift Container Platform 4.16 are strongly advised to apply the relevant security updates and patches as provided in the official Red Hat advisories (e.g., RHSA-2026:10065, RHSA-2026:10097). Follow Red Hat's documented procedures for updating packages and container images to ensure the vulnerability is remediated. Patch status is confirmed by Red Hat advisories; no additional mitigation steps are required beyond applying these official fixes.