Debian LTS has released security patches for libarchive and pyjwt to address multiple critical flaws across several supported distributions. The libarchive update fixes four separate vulnerabilities that could trigger infinite loops, leak sensitive memory data, crash applications, or allow arbitrary code execution on older architectures. A separate advisory corrects a pyjwt specification violation where the library improperly accepted JSON Web Tokens containing unrecognized critical header parameters. Administrators managing Debian 11 or older extended support releases should upgrade these packages immediately to close these security gaps.

[DLA 4563-1] libarchive security update
[DLA 4564-1] pyjwt security update
ELA-1707-1 pyjwt security update

[SECURITY] [DLA 4563-1] libarchive security update

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4563-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Arnaud Rebillout
May 05, 2026 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package : libarchive
Version : 3.4.3-2+deb11u4
CVE ID : CVE-2026-4111 CVE-2026-4424 CVE-2026-4426 CVE-2026-5121
Debian Bug : 1130753 1131444 1131446 1133002

Multiple vulnerabilities have been discovered in libarchive, a
multi-format archive and compression C library, which also provides the
following command-line tools: bsdcat, bsdcpio, bsdtar and bsdunzip.

CVE-2026-4111

A flaw was identified in the RAR5 archive decompression logic of the
libarchive library, specifically within the archive_read_data()
processing path. When a specially crafted RAR5 archive is processed,
the decompression routine may enter a state where internal logic
prevents forward progress. This condition results in an infinite loop
that continuously consumes CPU resources. Because the archive passes
checksum validation and appears structurally valid, affected
applications cannot detect the issue before processing. This can allow
attackers to cause persistent denial-of-service conditions in services
that automatically process archives.

CVE-2026-4424

A flaw was found in libarchive. This heap out-of-bounds read
vulnerability exists in the RAR archive processing logic due to
improper validation of the LZSS sliding window size after transitions
between compression methods. A remote attacker can exploit this by
providing a specially crafted RAR archive, leading to the disclosure
of sensitive heap memory information without requiring authentication
or user interaction.

CVE-2026-4426

A flaw was found in libarchive. An Undefined Behavior vulnerability
exists in the zisofs decompression logic, caused by improper
validation of a field (`pz_log2_bs`) read from ISO9660 Rock Ridge
extensions. A remote attacker can exploit this by supplying a
specially crafted ISO file. This can lead to incorrect memory
allocation and potential application crashes, resulting in a
denial-of-service (DoS) condition.

CVE-2026-5121

A flaw was found in libarchive. On 32-bit systems, an integer overflow
vulnerability exists in the zisofs block pointer allocation logic. A
remote attacker can exploit this by providing a specially crafted
ISO9660 image, which can lead to a heap buffer overflow. This could
potentially allow for arbitrary code execution on the affected system.

For Debian 11 bullseye, these problems have been fixed in version
3.4.3-2+deb11u4.

We recommend that you upgrade your libarchive packages.

For the detailed security status of libarchive please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libarchive

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

[SECURITY] [DLA 4564-1] pyjwt security update

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4564-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Jochen Sprickerhof
May 05, 2026 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package : pyjwt
Version : 1.7.1-2+deb11u1
CVE ID : CVE-2026-32597

It was discovered that PyJWT, a Python implementation of JSON Web Token
did not validate the crit (Critical) Header Parameter defined in RFC 7515
§4.1.11. When a JWS token contains a crit array listing extensions that PyJWT
does not understand, the library accepts the token instead of rejecting it.
This violates the MUST requirement in the RFC.

For Debian 11 bullseye, this problem has been fixed in version
1.7.1-2+deb11u1.

We recommend that you upgrade your pyjwt packages.

For the detailed security status of pyjwt please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/pyjwt

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

ELA-1707-1 pyjwt security update (by )

Package : pyjwt

Version : 1.4.2-1+deb9u2 (stretch), 1.7.0-2+deb10u1 (buster)

Related CVEs :
CVE-2026-32597

It was discovered that PyJWT, a Python implementation of JSON Web Token
did not validate the crit (Critical) Header Parameter defined in RFC 7515
§4.1.11. When a JWS token contains a crit array listing extensions that PyJWT
does not understand, the library accepts the token instead of rejecting it.
This violates the MUST requirement in the RFC.

ELA-1707-1 pyjwt security update (by )