CVE-2025-31115

Medienbericht

EPSS 0.18%
Veröffentlicht 03.04.2025 17:15:30
Zuletzt bearbeitet 07.04.2025 14:18:34
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 4 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellertukaani-project

≫

Produkt xz

Version >= 5.3.3alpha, < 5.8.1

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.399

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-366 Race Condition within a Thread

If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

CWE-826 Premature Release of Resource During Expected Lifetime

The product releases a resource that is still intended to be used by itself or another actor.

https://www.heise.de/news/XZ-Utils-Schwachstelle-ermoeglicht-vermutlich-Codeschmuggel-10343043.html

Medienbericht

heise Security

https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480

https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2

https://tukaani.org/xz/xz-cve-2025-31115.patch

http://www.openwall.com/lists/oss-security/2025/04/03/1

http://www.openwall.com/lists/oss-security/2025/04/03/2

http://www.openwall.com/lists/oss-security/2025/04/03/3

https://nvd.nist.gov/vuln/detail/CVE-2025-31115

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-31115

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-31115

EUVD