CVE-2024-37407 – This vulnerability in Libarchive allows out-of-... (How to Fix)

Q: What is the severity of CVE-2024-37407?

CVE-2024-37407 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Libarchive allows out-of-bounds memory access when processing ZIP archives with empty filenames and macOS extended attributes enabled. Attackers could potentially execute arbitrary code or cause denial of service by crafting malicious ZIP files. Any system or application using vulnerable Libarchive versions to extract ZIP archives is affected.

📋 TL;DR

This vulnerability in Libarchive allows out-of-bounds memory access when processing ZIP archives with empty filenames and macOS extended attributes enabled. Attackers could potentially execute arbitrary code or cause denial of service by crafting malicious ZIP files. Any system or application using vulnerable Libarchive versions to extract ZIP archives is affected.

💻 Affected Systems

Products:

Libarchive
Applications using Libarchive library

Versions: All versions before 3.7.4

Operating Systems: All platforms where Libarchive is used

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability only triggers when processing ZIP archives with empty filenames AND mac-ext (macOS extended attributes) is enabled

📦 What is this software?

Libarchive by Libarchive

View all CVEs affecting Libarchive →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if exploited via malicious ZIP file processing

🟠

Likely Case

Application crash or denial of service when processing specially crafted ZIP archives

🟢

If Mitigated

Limited to denial of service if memory protections like ASLR are effective

🌐 Internet-Facing: MEDIUM - Requires processing of malicious ZIP files, which could occur through file uploads or downloads

🏢 Internal Only: LOW - Requires user interaction or automated processing of malicious files

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a ZIP archive with specific characteristics and likely requires bypassing memory protections

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.4

Vendor Advisory: https://github.com/libarchive/libarchive/releases/tag/v3.7.4

Restart Required: No

Instructions:

1. Download Libarchive 3.7.4 or later from official repository. 2. Compile and install following standard build procedures. 3. Recompile any applications using Libarchive against the updated library.

🔧 Temporary Workarounds

Disable macOS extended attributes processing

all

Configure applications to disable mac-ext feature when processing ZIP files

Set environment variable: export ARCHIVE_MAC_EXT=0
Or configure application to not use mac-ext option

Reject ZIP files with empty filenames

all

Implement pre-processing to detect and reject ZIP archives containing files with empty names

🧯 If You Can't Patch

Implement strict input validation to reject ZIP files with empty filenames
Use application sandboxing or containerization to limit potential impact

🔍 How to Verify

Check if Vulnerable:

Check Libarchive version: archive_version_details() or check installed package version

Check Version:

archive_version() from libarchive API or check package manager: dpkg -l libarchive* | grep ^ii on Debian/Ubuntu, rpm -qa | grep libarchive on RHEL/CentOS

Verify Fix Applied:

Verify version is 3.7.4 or later: archive_version() should return 'libarchive 3.7.4' or higher

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing ZIP files
Memory access violation errors in system logs
Unexpected process termination of archive-related applications

Network Indicators:

Multiple failed attempts to upload ZIP files
Unusual network traffic patterns to/from archive processing services

SIEM Query:

process.name:"archive" AND (event.action:"crash" OR event.outcome:"failure") AND file.extension:"zip"

📊 Metadata

CVE ID: CVE-2024-37407

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-125

Published: June 8, 2024

Last Updated: April 29, 2025

🔗 References

https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0 Issue Tracking
https://github.com/libarchive/libarchive/pull/2145 Exploit,Issue Tracking
https://github.com/libarchive/libarchive/releases/tag/v3.7.4 Patch
https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0 Issue Tracking
https://github.com/libarchive/libarchive/pull/2145 Exploit,Issue Tracking
https://github.com/libarchive/libarchive/releases/tag/v3.7.4 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37407, you might also want to check these: