Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : XZ Utils vulnerability (USN-8362-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by a vulnerability as referenced in the USN-8362-1 advisory. It was discovered that XZ Utils did not properly manage memory when attempting to append data ...

USN-8362-1 xz-utils vulnerability

It was discovered that XZ Utils did not properly manage memory when attempting to append data to a decoded index that contained no records. An attacker could possibly use this issue to cause XZ Utils to crash, resulting in a denial of service, or execute arbitrary code...

Advisory ROSA-SA-2026-3313

Component: xz 5.2.9 OS: ROSA-CHROME Unaffected versions: = xz-5.2.9-2 Affected versions: xz-5.2.9-2 CVE-ID: CVE-2026-34743 BDU-ID: None CVE-Crit: Medium CVE-DESCRIPTION: The buffer overflow vulnerability in XZ Utils allows an attacker to cause memory corruption by using the lzmaindexdecoder...

JLSEC-2026-462

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend would allocate too little...

CVE-2026-34743

A flaw was found in XZ Utils. When the lzmaindexdecoder function processes an empty index, and a subsequent lzmaindexappend operation is performed, insufficient memory is allocated. This can lead to a buffer overflow, potentially causing a denial of service DoS for affected systems...

EUVD-2026-18505

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend would allocate too little...

PT-2026-29689

Name of the Vulnerable Software and Affected Versions XZ Utils versions prior to 5.8.3 Description XZ Utils, a data-compression library and command-line tools, had a flaw where the lzma index decoder function, when processing an Index without Records, could leave the lzma index in a state leading...

TencentOS Server 4: xz (TSSA-2025:0279)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0279 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

RLSA-2025:7524 Important: xz security update

XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm LZMA, which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short. Security Fixes: xz: XZ has a...

xz security update

An update is available for xz. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list XZ Utils is an integrated collection of user-space file compression utilities bas...

Researchers Spot XZ Utils Backdoor in Dozens of Docker Hub Images, Fueling Supply Chain Risks

New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident. More troubling is the fact that other images have been built on top of these infected base images, effectively propagating the infection furthe...

USN-7414-1 xz-utils vulnerability

Harri K. Koskinen discovered that XZ Utils incorrectly handled the threaded xz decoder. If a user or automated system were tricked into processing an xz file, a remote attacker could use this issue to cause XZ Utils to crash, resulting in a denial of service, or possibly execute arbitrary code...

AZL-59497 CVE-2025-31115 affecting package xz for versions less than 5.4.4-2

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...

ALPINE-CVE-2025-31115

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...

DEBIAN-CVE-2025-31115

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...

UBUNTU-CVE-2025-31115

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free when processing multiple threads in the workerdecoder function in streamdecodermt.c. An attacker can cause the input buffer to be freed while a worker-specific thread is still writing to it, triggering a crash. Note: The...

SUSE CVE-2024-47611

XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows MinGW-w64 or MSVC, the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters for exampl...

Vulnerability fixed in liblzma (XZ Utils)

Malicious code has been found in liblzma XZ Utils software. XZ Utils is used for compression of data and may be present in Linux distributions. The vulnerability has been labeled CVE-2024-3094 and has been found in versions 5.6.0 and 5.6.1 of XZ Utils. A malicious party can exploit the...

XZ 安全漏洞

xz is a software application. It is used to support reading and writing xz compressed streams. A security vulnerability exists in XZ Utils version 5.2.5, which stems from a vulnerability that allows an attacker to cause a denial of service by unzipping specially crafted files...