CVE-2025-5914: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-5914) was identified in the libarchive library, specifically within the archivereadformatrarseek_data() function, discovered and disclosed on June 9, 2025. The vulnerability affects versions prior to 3.8.0 and involves an integer overflow that can lead to a double-free condition (NVD, CVE).

The vulnerability is classified as a double-free issue (CWE-415) that occurs due to an integer overflow in the archivereadformatrarseek_data() function. If a system is capable of handling 4 billion nodes in memory, the integer overflow leads to a realloc call with a size argument of 0, which eventually triggers a double-free condition when the client releases the memory. The vulnerability has been assigned a CVSS v3.1 base score of 3.9 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L (Github PR, NVD).

Exploiting this double-free vulnerability can result in memory corruption, potentially enabling an attacker to execute arbitrary code or cause a denial-of-service condition (NVD).

The vulnerability has been fixed in libarchive version 3.8.0. Users are recommended to upgrade to this version or later to address the issue. The fix was implemented through a patch that addresses the integer overflow condition in the archivereadformatrarseek_data() function (Github Release).