A double free issue has been identified in libarchive's RAR5 reader. During parsing of a specially crafted RAR5 archive, the filtered_buf pointer may remain stale after being freed during unpacking state reinitialization. Subsequent processing of another archive entry can trigger a second free of the same memory region, resulting in a double-free condition. Successful exploitation may cause applications using the vulnerable libarchive API to terminate unexpectedly, leading to a denial of service.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-14164 represents a double-free vulnerability in libarchive's RAR5 reader that occurs when a specially crafted RAR5 archive triggers improper memory management during unpacking state reinitialization. The filtered_buf pointer becomes stale after the first free operation, but the code fails to null it or prevent subsequent processing from freeing the same memory region again. This vulnerability affects any application that uses libarchive to parse RAR5 archives, including backup tools, file managers, security software, and package managers. With a CVSS score of 7.5, successful exploitation causes denial of service through application crashes, potentially disrupting critical workflows that depend on archive processing functionality.
While CVE-2026-14164 does not directly map to MITRE ATT&CK techniques, Casky's security skills powered by Claude AI with extended reasoning can detect the underlying attack patterns through memory corruption analysis and application behavior monitoring. Practitioners using Casky would identify suspicious indicators including: unexpected application terminations when processing specific archive files, repeated crashes during archive extraction workflows, memory access violations in libarchive stack traces, and patterns of file types (RAR5 archives) that consistently trigger failures. By correlating CWE-415 (double free) signatures with application telemetry, security teams can recognize when adversaries are exploiting this vulnerability to disrupt services, enabling rapid containment and patching before widespread impact occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14164. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation