Wiz
Vulnerability DatabaseCVE-2022-26280

CVE-2022-26280
NixOS vulnerability analysis and mitigation

Overview

Libarchive version 3.6.0 was discovered to contain an out-of-bounds read vulnerability in the component zipxlzmaalone_init. The vulnerability was identified in February 2022 and affects the libarchive library, which is used for handling various streaming archive formats including tar, cpio, ar variants, shar archives, ISO9660 CDROM images, and ZIP archives (CVE Mitre, Debian Tracker).

Technical details

The vulnerability manifests as an out-of-bounds read condition in the zipxlzmaalone_init component. The issue was introduced in libarchive v3.4.0 through commit 121035c83e18b70d3128e9ac966109ebedb7e516 and was subsequently fixed in version 3.6.1 via commit cfaa28168a07ea4a53276b63068f94fce37d6aff (Debian Tracker).

Impact

The vulnerability allows an attacker who can supply a specially crafted zip file to libarchive to trigger an out-of-bounds read condition (Red Hat Portal).

Mitigation and workarounds

Multiple distributions have released patches to address this vulnerability. Fedora released version 3.5.3-2.fc36, Debian updated to version 3.4.3-2+deb11u2 for bullseye, and Gentoo recommended upgrading to version 3.6.1 or later. Users are advised to upgrade to the fixed versions available through their respective package managers (Fedora Update, Gentoo Advisory).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-14330CRITICAL9.8
  • NixOSNixOS
  • rhel10::firefox-flatpak
NoYesDec 09, 2025
CVE-2025-14329HIGH8.8
  • NixOSNixOS
  • cpe:2.3:a:mozilla:firefox
NoYesDec 09, 2025
CVE-2025-14333HIGH8.1
  • NixOSNixOS
  • firefox
NoYesDec 09, 2025
CVE-2025-14332HIGH7.3
  • NixOSNixOS
  • cpe:2.3:a:mozilla:firefox
NoYesDec 09, 2025
CVE-2025-14331MEDIUM6.5
  • NixOSNixOS
  • rhel10::thunderbird-flatpak
NoYesDec 09, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo