CVE-2026-32829

| EUVD-2026-13426 HIGH
2026-03-20 [email protected] GHSA-vvp9-7p8x-rfvv
8.2
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13426
CVE Published
Mar 20, 2026 - 01:15 nvd
HIGH 8.2

Tags

Information Disclosure

Description

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

Analysis

Information disclosure in lz4_flex compression library versions 0.11.5 and below and 0.12.0 allows attackers to read sensitive data from uninitialized memory or previous decompression operations through crafted LZ4 input that triggers out-of-bounds reads in the block-based decompression API. The vulnerability affects Ubuntu and Debian systems using vulnerable versions of lz4_flex, particularly when the safe-decode feature is disabled. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all systems and applications using lz4_flex versions 0.11.5 and below or 0.12.0; assess which handle untrusted input. Within 7 days: Evaluate migration to patched versions or alternative compression libraries; if migration is infeasible, implement input validation and disable unsafe decompression modes. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +41
POC: 0

Vendor Status

Ubuntu

Priority: Medium
rust-lz4-flex
Release Status Version
jammy DNE -
noble needs-triage -
questing needs-triage -
upstream released 0.13.0-1

Debian

rust-lz4-flex
Release Status Fixed Version Urgency
trixie vulnerable 0.11.3-1 -
forky vulnerable 0.11.3-2 -
sid fixed 0.13.0-1 -
(unstable) fixed 0.13.0-1 -

Share

CVE-2026-32829 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy