CVE-2024-26308: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file
Published Feb 19, 2024
·Updated
Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress. This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue.
Affected Software
4 affected componentsFixes available
maven/org.apache.commons:commons-compress>=1.21<1.26.0
1.26.0
Apache Commons Compress>=1.21<1.26.0
redhat/Apache Commons Compress<1.26
1.26
IBM QRadar SIEM<=7.5 - 7.5.0 UP12 IF03
Event History
Feb 19, 2024
CVE Published
via MITRE·08:31 AM
Data Sourced
via MITRE·08:31 AM
DescriptionWeakness
Advisory Published
via GitHub·09:30 AM
Data Sourced
via Red Hat·08:32 PM
DescriptionSeverityAffected Software
Aug 1, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-26308?
The severity of CVE-2024-26308 is currently classified as moderate.
2
How do I fix CVE-2024-26308?
To fix CVE-2024-26308, upgrade Apache Commons Compress to version 1.26.0 or later.
3
What software is affected by CVE-2024-26308?
CVE-2024-26308 affects Apache Commons Compress versions between 1.21 and 1.26.0, as well as associated products like IBM Security Verify Governance 10.0.2 and earlier.
4
What type of vulnerability is reported in CVE-2024-26308?
CVE-2024-26308 represents an infinite loop vulnerability that can lead to denial of service.
5
Are there any known exploits for CVE-2024-26308?
As of now, no public exploits for CVE-2024-26308 have been reported.