Use after free in multithreaded lzma (.xz) decoder
In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in
liblzma has a bug where invalid input can at least result in a crash
(CVE-2025-31115). The effects include heap use after free and writing to
an address based on the null pointer plus an offset. Applications and
libraries that use the lzma_stream_decoder_mt function are
affected.
The Haskell xz-clib library vendors and builds the C implementation. The xz package does not use the multithreaded decoder and is therefore unaffected.
Info
- Published
- April 03, 2025
- Modified
- April 03, 2025
- CAPECs
- < none >
- CWEs
- 416
- Keywords
- corruption, vendored-code, language-c
- Aliases
- CVE-2025-31115
- Related
- < none >
- References
- [ARTICLE] https://tukaani.org/xz/threaded-decoder-early-free.html
- [FIX] https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
- [FIX] https://github.com/hasufell/lzma-static/commit/e95fe96530568addfc83b771900025053e2c6951
Affected
xz-clib
- CVSS
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- Versions
>=5.6.3 && <5.8.1- Declarations
- < none >