Skip to main content

bzip2 CVE-2026-42250

| EUVDEUVD-2026-32898 MEDIUM
Out-of-bounds Write (CWE-787)
2026-05-28 cvd@cert.pl GHSA-9r29-3vrx-4537
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Red Hat
5.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 05, 2026 - 08:22 NVD
5.1 (MEDIUM) 4.8 (MEDIUM)
Patch available
May 28, 2026 - 15:01 EUVD
Analysis Generated
May 28, 2026 - 14:33 vuln.today

DescriptionCVE.org

bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service).

This issue was fixed in bzip2 version 1.0.9

AnalysisAI

Out-of-bounds write in bzip2's bzip2recover utility allows a local attacker to supply a specially crafted file that triggers an off-by-one error, corrupting a global buffer and crashing the process. Per the CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:N), the attack requires no privileges and no user interaction beyond the utility being invoked against a malicious file. Impact is strictly denial of service against the bzip2recover process - no confidentiality or integrity exposure - and the CVSS 4.0 score of 5.1 (Medium) reflects this constrained scope. No public exploit or active exploitation has been identified at time of analysis.

Technical ContextAI

bzip2recover is a bundled utility within the bzip2 compression suite, designed to salvage data from damaged .bz2 archives by scanning for valid compressed blocks. The root cause is CWE-787 (Out-of-bounds Write): an off-by-one logic error causes the program to write one element past the intended boundary of a statically allocated global buffer when parsing a crafted input file. This class of error - common in file-parsing utilities with fixed-size internal state - results in memory corruption adjacent to the overwritten buffer. Because the affected buffer is global (not stack-allocated), the immediate consequence is typically a crash rather than a controllable code execution primitive, consistent with the observed denial-of-service impact. The CVSS 4.0 vector (AV:L/AC:L/AT:N) confirms low attack complexity with no prerequisite system configurations required beyond the ability to provide a file to the utility.

RemediationAI

Vendor-released patch: bzip2 1.0.9. Upgrade to bzip2 1.0.9 or later using the distribution's package manager or by building from source via the upstream project at https://sourceware.org/bzip2/. Full advisory details are available from CERT Polska at https://cert.pl/en/posts/2026/05/CVE-2026-42250/. Where upgrading is not immediately feasible, a targeted compensating control is to remove or restrict execution of the bzip2recover binary (e.g., via filesystem permissions or package-level removal of the utility). This eliminates the attack surface entirely and carries no side effects on normal bzip2 compression and decompression operations, since bzip2recover is a separate utility not invoked by the standard bzip2 or bunzip2 commands. If bzip2recover is required, restrict its invocation to trusted, validated input files only, and do not expose it to user-supplied archive processing pipelines.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed
SUSE Linux Enterprise Micro 5.4 Fixed
SUSE Linux Enterprise Micro 5.5 Fixed

Share

CVE-2026-42250 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy