CVE-2026-32829

EPSS 0.44%
Veröffentlicht 20.03.2026 00:49:12
Zuletzt bearbeitet 30.03.2026 15:05:23
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0,  decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

NVD 2 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Pseitz ≫ Lz4 Flex SwPlatformrust Version < 0.11.6

Pseitz ≫ Lz4 Flex Version0.12.0 SwPlatformrust

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.44%	0.352

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

CWE-823 Use of Out-of-range Pointer Offset

The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.

https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv

Vendor Advisory

Mitigation

https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d

Patch

https://rustsec.org/advisories/RUSTSEC-2026-0041.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-32829

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32829

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32829

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32829