{"id":"CVE-2025-25724","details":"list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.","modified":"2026-04-09T10:32:09.792599Z","published":"2025-03-02T02:15:36.603Z","related":["ALSA-2025:9420","ALSA-2025:9431","CGA-x9j7-pv95-pv5q","MGASA-2025-0102","SUSE-SU-2025:0985-1","SUSE-SU-2025:0986-1","SUSE-SU-2025:20257-1","openSUSE-SU-2025:14882-1"],"references":[{"type":"WEB","url":"https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752"},{"type":"ADVISORY","url":"https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92"},{"type":"EVIDENCE","url":"https://github.com/Ekkosun/pocs/blob/main/bsdtarbug"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libarchive/libarchive","events":[{"introduced":"0"},{"last_affected":"b439d586f53911c84be5e380445a8a259e19114c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.7.7"}]}}],"versions":["v3.0.0a","v3.0.1b","v3.1.900a","v3.2.0","v3.2.1","v3.2.2","v3.3.0","v3.3.1","v3.3.2","v3.3.3","v3.4.0","v3.4.1","v3.4.2","v3.4.3","v3.5.0","v3.5.1","v3.5.2","v3.6.0","v3.6.1","v3.6.2","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.7.5","v3.7.6","v3.7.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-25724.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}