Severity: Critical
CVSS Score: 9.8
libxar.so in xar 1.6.1 has a NULL pointer dereference in the xar_unserialize function in archive.c.