Skip to main content

Xz CVE-2026-34743

| EUVDEUVD-2026-18505 LOW
Heap-based Buffer Overflow (CWE-122)
2026-04-02 GitHub_M
1.7
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
5.8.3
EUVD ID Assigned
Apr 02, 2026 - 19:01 euvd
EUVD-2026-18505
Analysis Generated
Apr 02, 2026 - 19:01 vuln.today
CVE Published
Apr 02, 2026 - 18:36 nvd
LOW 1.7

DescriptionGitHub Advisory

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

AnalysisAI

Buffer overflow in XZ Utils lzma_index_decoder() allows memory corruption when processing Index records with no data entries prior to version 5.8.3. Unauthenticated remote attackers can trigger a heap overflow via crafted compressed data, potentially causing denial of service or memory corruption. The vulnerability has a low CVSS score (1.7) due to attack time requirement and limited impact scope, with no confirmed active exploitation at time of analysis.

Technical ContextAI

XZ Utils is a data-compression library implementing the LZMA/LZMA2 codec. The vulnerability exists in the lzma_index_decoder() function, which processes Index structures in XZ container files. An Index with zero Records is a valid but edge-case scenario that leaves the lzma_index object in an inconsistent state. When lzma_index_append() is subsequently called, it allocates insufficient heap memory based on the corrupted index state, resulting in a classic CWE-122 (Heap-based Buffer Overflow). The flaw affects all XZ Utils versions prior to 5.8.3 across all platforms where the library is compiled and used. The vulnerability requires parsing a specially-crafted XZ archive, making it exploitable wherever XZ decompression is performed on untrusted input.

RemediationAI

Vendor-released patch: XZ Utils 5.8.3. Update to version 5.8.3 or later from the official XZ Utils repository. The patched version is available at https://github.com/tukaani-project/xz/releases/tag/v5.8.3. Linux distributions and package managers should prioritize updating their XZ Utils packages to 5.8.3. Users unable to immediately upgrade should restrict processing of untrusted XZ archive files until patching is completed. The upstream fix is documented in commit c8c22869e780ff57c96b46939c3d79ff99395f87. Official security advisory is available at https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv.

Share

CVE-2026-34743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy