diff --git a/libarchive-3.7.1-CVE-2026-4111.patch b/libarchive-3.7.1-CVE-2026-4111.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c8be608be17c04f2fd50d160e87f09024f06cc62
--- /dev/null
+++ b/libarchive-3.7.1-CVE-2026-4111.patch
@@ -0,0 +1,27 @@
+From 7273d04803a1e5a482f26d8d0fbaf2b204a72168 Mon Sep 17 00:00:00 2001
+From: Tim Kientzle <kientzle@acm.org>
+Date: Sun, 1 Mar 2026 20:24:56 -0800
+Subject: [PATCH] Reject filters when the block length is nonsensical
+
+Credit: Grzegorz Antoniak @antekone
+
+
+---
+ libarchive/archive_read_support_format_rar5.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/libarchive/archive_read_support_format_rar5.c b/libarchive/archive_read_support_format_rar5.c
+index 1f90994..16d0789 100644
+--- a/libarchive/archive_read_support_format_rar5.c
++++ b/libarchive/archive_read_support_format_rar5.c
+@@ -2914,7 +2914,9 @@ static int parse_filter(struct archive_read* ar, const uint8_t* p) {
+ 	if(block_length < 4 ||
+ 	    block_length > 0x400000 ||
+ 	    filter_type > FILTER_ARM ||
+-	    !is_valid_filter_block_start(rar, block_start))
++	    !is_valid_filter_block_start(rar, block_start) ||
++	    (rar->cstate.window_size > 0 &&
++	     (ssize_t)block_length > rar->cstate.window_size >> 1))
+ 	{
+ 		archive_set_error(&ar->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+ 		    "Invalid filter encountered");
diff --git a/libarchive-3.7.1-CVE-2026-4424.patch b/libarchive-3.7.1-CVE-2026-4424.patch
new file mode 100644
index 0000000000000000000000000000000000000000..aa72f8f5e7e6b639a746e692a8de7d19d5860210
--- /dev/null
+++ b/libarchive-3.7.1-CVE-2026-4424.patch
@@ -0,0 +1,57 @@
+From d379dc0b2976b7207d1ad78f5ed3eb99a5b6d375 Mon Sep 17 00:00:00 2001
+From: elhananhaenel <elhanan.haenel@mail.huji.ac.il>
+Date: Sat, 7 Mar 2026 22:32:09 +0200
+Subject: [PATCH 1/2] rar: fix LZSS window size mismatch after PPMd block
+
+When a PPMd-compressed block updates dictionary_size, the LZSS window
+from a prior block is not reallocated. The allocation guard only checks
+if dictionary_size is zero or the window pointer is NULL, not whether
+the existing window is large enough. This allows copy_from_lzss_window()
+to read past the allocated buffer.
+
+Fix the guard to also check whether the current window is undersized.
+Add bounds checks in copy_from_lzss_window() and parse_filter() as
+defense in depth.
+
+Adapted-by: PkgAgent (modified to adapt to opencloudos-stream)
+
+---
+ libarchive/archive_read_support_format_rar.c |   11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/libarchive/archive_read_support_format_rar.c b/libarchive/archive_read_support_format_rar.c
+index 5cc04b8..dcebea3 100644
+--- a/libarchive/archive_read_support_format_rar.c
++++ b/libarchive/archive_read_support_format_rar.c
+@@ -2461,7 +2461,8 @@ parse_codes(struct archive_read *a)
+       return (r);
+   }
+ 
+-  if (!rar->dictionary_size || !rar->lzss.window)
++  if (!rar->dictionary_size || !rar->lzss.window ||
++      (unsigned int)(rar->lzss.mask + 1) < rar->dictionary_size)
+   {
+     /* Seems as though dictionary sizes are not used. Even so, minimize
+      * memory usage as much as possible.
+@@ -3065,6 +3066,11 @@ copy_from_lzss_window(struct archive_read *a, uint8_t *buffer,
+ 
+   windowoffs = lzss_offset_for_position(&rar->lzss, startpos);
+   firstpart = lzss_size(&rar->lzss) - windowoffs;
++  if (length > lzss_size(&rar->lzss)) {
++    archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
++                      "Bad RAR file data");
++    return (ARCHIVE_FATAL);
++  }
+   if (firstpart < 0) {
+     archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT,
+                       "Bad RAR file data");
+@@ -3227,7 +3233,8 @@ parse_filter(struct archive_read *a, const uint8_t *bytes, uint16_t length, uint
+   else
+     blocklength = prog ? prog->oldfilterlength : 0;
+ 
+-  if (blocklength > rar->dictionary_size)
++  if (blocklength > rar->dictionary_size ||
++      blocklength > (uint32_t)(rar->lzss.mask + 1))
+     return 0;
+ 
+   registers[3] = PROGRAM_SYSTEM_GLOBAL_ADDRESS;
diff --git a/libarchive.spec b/libarchive.spec
index ac72d878623317cb656157045a65147f131ff730..84101e0ef8d96f68ef893fd96677defadedfb1b9 100644
--- a/libarchive.spec
+++ b/libarchive.spec
@@ -1,7 +1,7 @@
 Summary:        A library for handling streaming archive formats
 Name:           libarchive
 Version:        3.7.1
-Release:        11%{?dist}
+Release:        12%{?dist}
 License:        BSD
 URL:            https://www.libarchive.org/
 Source0:        https://libarchive.org/downloads/%{name}-%{version}.tar.gz
@@ -34,6 +34,9 @@ Patch0016:      CVE-2025-5918.patch
 # https://github.com/libarchive/libarchive/pull/2787
 Patch0017:      CVE-2025-60753.patch
 
+Patch0018:      libarchive-3.7.1-CVE-2026-4111.patch
+Patch0019:      libarchive-3.7.1-CVE-2026-4424.patch
+
 Patch3001:      0001-Drop-rmd160-from-OpenSSL.patch
 
 BuildRequires:  autoconf, automake, bison, gcc, libtool
@@ -129,6 +132,10 @@ rm %{buildroot}%{_mandir}/man5/{tar,cpio,mtree}.5*
 
 
 %changelog
+* Mon Mar 23 2026 PkgAgent Robot <pkgagent@opencloudos.tech> - 3.7.1-12
+- [Type] security
+- [DESC] Fix CVE-2026-4111, CVE-2026-4424
+
 * Tue Dec 09 2025 rockerzhu <rockerzhu@tencent.com> - 3.7.1-11
 - [Type] Security
 - [Desc] Fix CVE-2025-60753.