CVE-2024-48958: Buffer Overflow
Published Oct 10, 2024
·Updated
Accessibility. A logging issue was addressed with improved data redaction.
Other sources
AccountPolicy. This issue was addressed by removing the vulnerable code.
— Apple
Accounts. This issue was addressed with improved data access restriction.
— Apple
AirDrop. A permissions issue was addressed with additional restrictions.
— Apple
AirPlay. A null pointer dereference was addressed with improved input validation.
— Apple
AirPlay. A type confusion issue was addressed with improved checks.
— Apple
Credit
Uri Katz (Oligo Security), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Dominik Rath, Martin Kreichgauer(Google Chrome), Yutong Xiu@@Sou1gh0st, Denis Tokarev@@illusionofcha0s, Google Threat Analysis Group, wac(Trend Micro Zero Day Initiative), CVE-2024-9681, Andr.Ess, Kirin@@Pwnrin, LFY@@secsys(Fudan University), Anonymous(Trend Micro Zero Day Initiative), Wang Yu(Cyberserval), Michael (Biscuit) Thomas - @social.lol@@biscuit, Ian Beer(Google Project Zero), CVE-2024-48958, an anonymous researcher, CVE-2025-27113, CVE-2024-56171, Alex Radocea(Supernetworks), Dave G.(Supernetworks), 风沐云烟@@binary_fmyy, Minghao Lin@@Y1nKoc, Jonathan Bar Or@@yo_yo_yo_jbo(Microsoft), Alexia Wilson(Microsoft), Christine Fossaceca(Microsoft), Jimmy, Mickey Jin@@patch1t, Jaydev Ahire, @@RenwaX23, Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), Luyi Xing(Indiana University Bloomington), Halle Winkler, Politepix theoffcuts.org, Andrew James Gonzalez, Alexander Heinrich@@Sn0wfreeze, SEEMOO, TU Darmstadt & Mathy Vanhoef@@vanhoefm, Jeroen Robben@@RobbenJeroen, DistriNet, KU Leuven, Vsevolod Kokorin (Slonser)(Solidlab), Gary Kwong, Paul Bakker(ParagonERP), rheza@@ginggilBesel, Lehan Dilusha@@zafer, Ron Masas(BREAKPOINT), pattern-f@@pattern_F_, Bohdan Stasiuk@@bohdan_stasiuk, Francisco Alonso@@revskills, Syarif Muhammad Sajjad, Apple, Zhongcheng Li(IES Red Team of ByteDance), Gergely Kalman@@gergely_kalman, mzzzz__, Muhammad Zaid Ghifari (Mr.ZheeV), Kalimantan Utara, Florian Draschbacher, Jax Reissner, Dalibor Milanovic, Wojciech Regula(SecuRing), Abhay Kailasia@@abhay_kailasia(C), Chi Yuan Chang(ZUSO ART), taikosoup, YingQi Shi@@Mas0nShi(DBAppSecurity's WeBin lab), Richard Hyunho Im with routezero.security@@richeeta, Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Jeffrey Hofmann, Ian Mckay@@iann0036, Csaba Fitzl@@theevilbit(Kandji), Nolan Astrein(Kandji), Stephan Casas, Rodolphe BRUNETTI@@eisw0lf(Lupus Nova), Pietro Francesco Tirenna(Shielder), Davide Silvetti(Shielder), Abdel Adim Oisfi(Shielder), luckyu@@uuulucky, Rodolphe BRUNETTI@@eisw0lf, Manuel Fernandez (Stackhopper Security), ABC Research s.r.o., Murray Mike, Dayton Pidhirney(Atredis Partners), Lyutoon, YenKoc, Ye Zhang@@VAR10CK(Baidu Security), Koh M. Nakagawa@@tsunek0h(FFRI Security Inc), Joseph Ravichandran@@0xjprx(MIT CSAIL), Kenneth Chew, Paweł Płatek (Trail(Bits), Diamant Osmani & Valdrin Haliti [Kosovë], dbpeppe, Solitechworld, Pwn2car, Alhour@@NSAntoine, Mickey Jin@@patch1t(Kandji), (Kandji), Pedro Tôrres@@t0rr3sp3dr0, Noah Gregory (wts.dev), CVE-2023-27043, Yiğit Can YILMAZ@@yilmazcanyigit, Arsenii Kostromin (0x3c3e), Rodolphe Brunetti@@eisw0lf(Lupus Nova), Dolf Hoegaerts, Michiel Devliegere, K宝@@Pwnrin, Tong Liu@@Lyutoon_, 风(binary_fmyy), F00L, Dave G., zbleet(QI), Cristian Dinca(Computer Science), Romania, 风沐云烟 (binary_fmyy), Kirin, FlowerCode, Zhongquan Li@@Guluisacat, Pedro José Pereira Vieito / pvieito.com)@@pvieito, PixiePoint Security, Andreas Hegenberg (folivora.AI GmbH)
Affected Software
9 affected componentsFixes available
debian/libarchive<=3.6.2-1+deb12u1, <=3.7.4-1
3.4.3-2+deb11u1
Libarchive libarchive>=3.6.0<3.7.5
Libarchive libarchive<3.7.5
Apple visionOS<2.4
2.4
Apple tvOS<18.4
18.4
Apple iOS<18.4
18.4
Apple iPadOS<18.4
18.4
Apple macOS Sequoia<15.4
15.4
Apple WatchOS<11.4
11.4
Remediation
Patch Available
Event History
Oct 10, 2024
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Data Sourced
via NVD·02:15 AM
RemedyDescriptionSeverityWeaknessAffected Software
Oct 16, 2024
Data Sourced
via Ubuntu·06:29 AM
RemedyDescriptionSeverityAffected Software
Mar 31, 2025
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionWeakness
Updated
via Apple·12:00 AM
Description
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
Affected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Apr 1, 2025
Updated
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Updated
via Apple·12:00 AM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2025-24221
- CVE-2025-31202
- CVE-2025-24271
- CVE-2025-24270
- CVE-2025-24252
- CVE-2025-24251
- CVE-2025-31197
- CVE-2025-24206
- CVE-2025-30445
- CVE-2025-43205
- CVE-2025-24243
- CVE-2025-30430
- CVE-2025-24180
- CVE-2025-24237
- CVE-2025-30429
- CVE-2025-24212
- CVE-2025-24163
- CVE-2025-24230
- CVE-2025-31196
- CVE-2025-24211
- CVE-2025-24190
- CVE-2025-24182
- CVE-2025-31203
- CVE-2024-9681
- CVE-2025-30439
- CVE-2025-24283
- CVE-2025-30447
- CVE-2025-24210
- CVE-2025-24257
- CVE-2025-30432
- CVE-2025-24203
- CVE-2024-48958
- CVE-2025-24194
- CVE-2025-27113
- CVE-2024-56171
- CVE-2025-31182
- CVE-2025-31199
- CVE-2025-30470
- CVE-2025-30426
- CVE-2025-24173
- CVE-2025-24095
- CVE-2025-30466
- CVE-2025-24113
- CVE-2025-30471
- CVE-2025-30438
- CVE-2025-30433
- CVE-2025-24214
- CVE-2025-31184
- CVE-2025-24192
- CVE-2025-24264
- CVE-2025-24216
- CVE-2025-30427
- CVE-2025-24097
- CVE-2025-24244
- CVE-2025-30454
- CVE-2025-31191
- CVE-2025-24178
- CVE-2025-24238
- CVE-2025-31183
- CVE-2025-24217
- CVE-2025-24209
- CVE-2025-30425
- CVE-2025-30467
- CVE-2025-24167
- CVE-2025-24201
- CVE-2025-24202
- CVE-2025-30456
- CVE-2025-30463
- CVE-2025-30434
- CVE-2025-24193
- CVE-2025-30428
- CVE-2025-30469
- CVE-2025-31192
- CVE-2025-24220
- CVE-2025-30436
- CVE-2025-24205
- CVE-2025-24198
- CVE-2025-24208
- CVE-2025-24234
- CVE-2025-24276
- CVE-2025-24272
- CVE-2025-24239
- CVE-2025-24233
- CVE-2025-30443
- CVE-2025-31272
- CVE-2025-24245
- CVE-2025-30460
- CVE-2025-24215
- CVE-2025-24236
- CVE-2025-24170
- CVE-2025-24277
- CVE-2025-31189
- CVE-2025-24255
- CVE-2025-30453
- CVE-2025-24267
- CVE-2025-24258
- CVE-2025-30455
- CVE-2025-31187
- CVE-2025-30462
- CVE-2025-30451
- CVE-2025-24281
- CVE-2025-30461
- CVE-2025-24199
- CVE-2025-30431
- CVE-2025-30464
- CVE-2025-24273
- CVE-2025-24256
- CVE-2025-30448
- CVE-2025-24249
- CVE-2025-24229
- CVE-2025-31263
- CVE-2025-30437
- CVE-2025-24235
- CVE-2025-24204
- CVE-2025-24196
- CVE-2025-24148
- CVE-2025-24195
- CVE-2025-31231
- CVE-2025-31264
- CVE-2025-24172
- CVE-2025-30450
- CVE-2025-46308
- CVE-2025-24262
- CVE-2025-24232
- CVE-2025-24246
- CVE-2025-24261
- CVE-2025-24164
- CVE-2025-30446
- CVE-2025-24259
- CVE-2025-30424
- CVE-2023-27043
- CVE-2025-24284
- CVE-2025-30459
- CVE-2025-24191
- CVE-2025-24093
- CVE-2025-30452
- CVE-2025-24181
- CVE-2025-30458
- CVE-2025-24250
- CVE-2025-24268
- CVE-2025-43184
- CVE-2025-30465
- CVE-2025-24280
- CVE-2025-31194
- CVE-2025-30435
- CVE-2025-24248
- CVE-2025-24269
- CVE-2025-30444
- CVE-2025-24228
- CVE-2025-24165
- CVE-2025-24260
- CVE-2025-30442
- CVE-2025-24282
- CVE-2025-24254
- CVE-2025-24231
- CVE-2025-24263
- CVE-2025-24207
- CVE-2025-31261
- CVE-2025-30449
- CVE-2025-24253
- CVE-2025-46293
- CVE-2025-43278
- CVE-2025-24240
- CVE-2025-31188
- CVE-2025-24218
- CVE-2025-24278
- CVE-2025-24242
- CVE-2025-30457
- CVE-2025-31195
- CVE-2025-24279
- CVE-2025-24247
- CVE-2025-24241
- CVE-2025-24266
- CVE-2025-24265
- CVE-2025-24157
- CVE-2025-31198
Frequently Asked Questions
1
What is the severity of CVE-2024-48958?
CVE-2024-48958 is classified as a medium severity vulnerability due to its potential for out-of-bounds access.
2
How do I fix CVE-2024-48958?
To mitigate CVE-2024-48958, update libarchive to version 3.7.5 or later.
3
What is the impact of CVE-2024-48958?
CVE-2024-48958 could allow attackers to exploit out-of-bounds access, potentially leading to data corruption or arbitrary code execution.
4
What versions of libarchive are affected by CVE-2024-48958?
CVE-2024-48958 affects libarchive versions prior to 3.7.5, including all versions from 3.6.0 up to 3.7.4.
5
Is there a specific environment where CVE-2024-48958 is mainly a concern?
CVE-2024-48958 is particularly concerning for systems that handle untrusted RAR archive files.