CVE-2021-23177 [High] | Security Vulnerability in Libarchive

An improper link resolution flaw while extracting an archive can lead to changing the access control list (ACL) of the target of the link. An attacker may provide a malicious archive to a victim user, who would trigger this flaw when trying to extract the archive. A local attacker may use this flaw to change the ACL of a file on the system and gain more privileges.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.04%	0.37%	+0.33%
2	2025-11-21	0.07%	0.04%	-0.04%
3	2025-11-18	—	0.07%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.04%

0.37%

+0.33%

2025-11-21

0.07%

0.04%

-0.04%

2025-11-18

—

0.07%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
7.8	3.1	HIGH	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	1.8	5.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

7.8

3.1

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

1.8

5.9

[email protected]

OS Trackers for CVE-2021-23177

vendor	priority	summary	link
`alpine`	high	CVE-2021-23177: 1 source package rows (libarchive); 15 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 0, open 15.	https://security.alpinelinux.org/vuln/CVE-2021-23177
`debian`	not yet assigned	CVE-2021-23177 not yet assigned priority: Debian including 1 source packages (libarchive), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2021-23177
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-23177
`suse`	medium	—	https://www.suse.com/security/cve/CVE-2021-23177/
`ubuntu`	low	CVE-2021-23177 low priority: Ubuntu including 1 source packages (libarchive), 15 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 8, ignored 4, released 3.	https://ubuntu.com/security/CVE-2021-23177

Affected software / configurations for CVE-2021-23177

Vendor	Product	Version	Raw CPE
libarchive	libarchive	< 3.5.2	cpe:2.3:a:libarchive:libarchive::::::::
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
redhat	enterprise_linux_eus	8.6	cpe:2.3:o:redhat:enterprise_linux_eus:8.6:::::::*
redhat	enterprise_linux_for_ibm_z_systems	8.0	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:::::::*
redhat	enterprise_linux_for_ibm_z_systems_eus	8.6	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:::::::*
redhat	enterprise_linux_for_power_little_endian	8.0	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:::::::*
redhat	enterprise_linux_for_power_little_endian_eus	8.6	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:::::::*
redhat	enterprise_linux_server_aus	8.6	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:::::::*
redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	8.6	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:::::::*
redhat	enterprise_linux_server_tus	8.6	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:::::::*
redhat	codeready_linux_builder	—	cpe:2.3:a:redhat:codeready_linux_builder:-:::::::*
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*

References for CVE-2021-23177

URL	Tags
https://access.redhat.com/security/cve/CVE-2021-23177	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2024245	Issue Tracking Patch Third Party Advisory
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad	Patch Third Party Advisory
https://github.com/libarchive/libarchive/issues/1565	Issue Tracking Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/11/msg00030.html	Mailing List Third Party Advisory

URL

CVE-2021-23177

Exploit prediction scoring system (EPSS) score for CVE-2021-23177

Common vulnerability scoring system (CVSS) metrics for CVE-2021-23177

Weakness enumeration for CVE-2021-23177

OS Trackers for CVE-2021-23177

Affected software / configurations for CVE-2021-23177

References for CVE-2021-23177