Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
AnalysisAI
Buffer overflow in XZ Utils lzma_index_decoder() allows memory corruption when processing Index records with no data entries prior to version 5.8.3. Unauthenticated remote attackers can trigger a heap overflow via crafted compressed data, potentially causing denial of service or memory corruption. The vulnerability has a low CVSS score (1.7) due to attack time requirement and limited impact scope, with no confirmed active exploitation at time of analysis.
Technical ContextAI
XZ Utils is a data-compression library implementing the LZMA/LZMA2 codec. The vulnerability exists in the lzma_index_decoder() function, which processes Index structures in XZ container files. An Index with zero Records is a valid but edge-case scenario that leaves the lzma_index object in an inconsistent state. When lzma_index_append() is subsequently called, it allocates insufficient heap memory based on the corrupted index state, resulting in a classic CWE-122 (Heap-based Buffer Overflow). The flaw affects all XZ Utils versions prior to 5.8.3 across all platforms where the library is compiled and used. The vulnerability requires parsing a specially-crafted XZ archive, making it exploitable wherever XZ decompression is performed on untrusted input.
RemediationAI
Vendor-released patch: XZ Utils 5.8.3. Update to version 5.8.3 or later from the official XZ Utils repository. The patched version is available at https://github.com/tukaani-project/xz/releases/tag/v5.8.3. Linux distributions and package managers should prioritize updating their XZ Utils packages to 5.8.3. Users unable to immediately upgrade should restrict processing of untrusted XZ archive files until patching is completed. The upstream fix is documented in commit c8c22869e780ff57c96b46939c3d79ff99395f87. Official security advisory is available at https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv.
An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. Rated high severity (CVSS 8.8), this vulner
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons,
xz is a compression and decompression library focusing on the xz format completely written in Go. Rated high severity (C
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18505