icon

We found results for “

CVE-2025-31115

Good to know:

icon

Date: April 3, 2025

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

Severity Score

Severity Score

Weakness Type (CWE)

NULL Pointer Dereference

CWE-476

Use After Free

CWE-416

Race Condition within a Thread

CWE-366

Premature Release of Resource During Expected Lifetime

CWE-826

Top Fix

icon

Upgrade Version

Upgrade to version https://github.com/tukaani-project/xz.git - v5.8.1

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us