Skip to main content

Lz4 Flex CVE-2026-32829

| EUVDEUVD-2026-13426 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-03-20 security-advisories@github.com GHSA-vvp9-7p8x-rfvv
8.2
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Ubuntu
MEDIUM
qualitative
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13426
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 01:15 nvd
HIGH 8.2

DescriptionCVE.org

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (decompress_into, decompress_into_with_dict, and others when safe-decode is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

AnalysisAI

Information disclosure in lz4_flex compression library versions 0.11.5 and below and 0.12.0 allows attackers to read sensitive data from uninitialized memory or previous decompression operations through crafted LZ4 input that triggers out-of-bounds reads in the block-based decompression API. The vulnerability affects Ubuntu and Debian systems using vulnerable versions of lz4_flex, particularly when the safe-decode feature is disabled. No patch is currently available, leaving affected systems exposed to potential exposure of cryptographic keys and other sensitive data.

Technical ContextAI

lz4_flex is a pure Rust implementation of the LZ4 compression algorithm, commonly used for high-speed compression and decompression operations in applications requiring performance. The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), specifically manifesting as improper validation of offset values during LZ4 match copy operations in the decompression routines. When processing crafted LZ4 input, the block-based API functions (decompress_into, decompress_into_with_dict, and related functions when safe-decode feature is disabled) fail to properly bounds-check offset values, allowing out-of-bounds reads from the output buffer. This enables reading of uninitialized memory regions or residual data from previous operations. The frame-based APIs are not affected. The vulnerability is tracked as RUSTSEC-2026-0041 in the Rust security advisory database and EUVD-2026-13426 by ENISA.

RemediationAI

Upgrade lz4_flex to version 0.11.6 or later for the 0.11.x series, or to version 0.12.1 or later for the 0.12.x series. The fix is available via the upstream commit at https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d. Rust projects should update their Cargo.toml dependencies to specify the patched versions and run cargo update. As a temporary mitigation until patching, applications can enable the safe-decode feature flag in lz4_flex which enforces stricter validation, switch to using the frame-based APIs instead of block-based APIs if architecturally feasible, or implement input validation and sanitization to reject potentially malformed LZ4 data from untrusted sources. Consult the GitHub security advisory at https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv for complete remediation guidance.

Vendor StatusVendor

Ubuntu

Priority: Medium
rust-lz4-flex
Release Status Version
jammy DNE -
noble needs-triage -
questing needs-triage -
upstream released 0.13.0-1

Debian

rust-lz4-flex
Release Status Fixed Version Urgency
trixie vulnerable 0.11.3-1 -
forky vulnerable 0.11.3-2 -
sid fixed 0.13.0-1 -
(unstable) fixed 0.13.0-1 -

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-32829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy