What is the severity of CVE-2024-26308?

The severity of CVE-2024-26308 is currently classified as moderate.

How do I fix CVE-2024-26308?

To fix CVE-2024-26308, upgrade Apache Commons Compress to version 1.26.0 or later.

What software is affected by CVE-2024-26308?

CVE-2024-26308 affects Apache Commons Compress versions between 1.21 and 1.26.0, as well as associated products like IBM Security Verify Governance 10.0.2 and earlier.

What type of vulnerability is reported in CVE-2024-26308?

CVE-2024-26308 represents an infinite loop vulnerability that can lead to denial of service.

Are there any known exploits for CVE-2024-26308?

As of now, no public exploits for CVE-2024-26308 have been reported.

Vulnerability/
CVE-2024-26308

medium

5.5

CWE

770

EPSS

0.061%

19/2/2024

4/3/2025

CVE-2024-26308: Apache Commons Compress: OutOfMemoryError unpacking broken Pack200 file

First published: Mon Feb 19 2024(Updated: )

<a href="https://access.redhat.com/security/cve/CVE-2024-25710">CVE-2024-25710</a> (<a href="https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf">https://lists.apache.org/thread/cz8qkcwphy4cx8gltn932ln51cbtq6kf</a>): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0. Users are recommended to upgrade to version 1.26.0 which fixes the issue. <a href="https://access.redhat.com/security/cve/CVE-2024-26308">CVE-2024-26308</a> (<a href="https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg">https://lists.apache.org/thread/ch5yo2d21p7vlqrhll9b17otbyq4npfg</a>): Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26. Users are recommended to upgrade to version 1.26, which fixes the issue. Please bump to 1.26.0.

Credit: security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
redhat/Apache Commons Compress	<1.26	1.26
maven/org.apache.commons:commons-compress	>=1.21<1.26.0	1.26.0
Apache Commons Compress	>=1.21<1.26.0
IBM Security Verify Governance - Identity Manager	<=ISVG 10.0.2

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7172200

Frequently Asked Questions

What is the severity of CVE-2024-26308?
The severity of CVE-2024-26308 is currently classified as moderate.
How do I fix CVE-2024-26308?
To fix CVE-2024-26308, upgrade Apache Commons Compress to version 1.26.0 or later.
What software is affected by CVE-2024-26308?
CVE-2024-26308 affects Apache Commons Compress versions between 1.21 and 1.26.0, as well as associated products like IBM Security Verify Governance 10.0.2 and earlier.
What type of vulnerability is reported in CVE-2024-26308?
CVE-2024-26308 represents an infinite loop vulnerability that can lead to denial of service.
Are there any known exploits for CVE-2024-26308?
As of now, no public exploits for CVE-2024-26308 have been reported.

agent/weakness
agent/title
agent/type
agent/first-publish-date
collector/oss-sec
source/oss-sec
alias/CVE-2024-26308
agent/author
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/severity
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/source
agent/references
agent/trending
agent/tags
collector/github-advisory-latest
source/GitHub
alias/GHSA-4265-ccf5-phj5
agent/last-modified-date
agent/softwarecombine
agent/event
collector/github-advisory
agent/description
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-api
collector/ibm-support
source/IBM
package-manager/redhat
package-manager/maven
vendor/apache
canonical/apache commons compress
version/apache commons compress/1.21
vendor/ibm
canonical/ibm security verify governance - identity manager
version/ibm security verify governance - identity manager/isvg 10.0.2