JLSEC-2026-153

An issue was discovered in libarchive bsdtar before version 3.8.1 in function applysubstitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service Out-of-Memory crash...

Infinite loop

Overview Affected versions of this package are vulnerable to Infinite loop via the applysubstitution function in the bsdtar when used with -s pathname-rewrite rules. An attacker can cause excessive memory allocation leading to application crash by supplying malicious input such as an empty patter...