CVE-2026-32829 lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer

lz4flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values...

CVE-2026-32829

CVE-2026-32829 affects the Rust library lz4_flex, a pure Rust LZ4 implementation. Technical details from the provided sources show that in versions 0.11.5 and earlier, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previously decompress...