Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities due to lz4 and Apache Log4j (CVE-2025-12183, CVE-2025-66566 & CVE-2025-68161 )

Summary Users of Kafka features in IBM App Connect Enterprise and IBM Integration Bus for z/OS and the jdbcConnector in IBM App Connect Enterprise are vulnerable to multiple vulnerabilities due to lz4 and Apache Log4j. Vulnerability Details CVEID:CVE-2025-12183 DESCRIPTION: Out-of-bounds memory...

K000160213: LZ4 vulnerability CVE-2025-12183

Security Advisory Description Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input. CVE-2025-12183 Impact There is no impact; F5 products are not affected by this...

Advisory ROSA-SA-2026-3175

Software: lz4 1.8.3 OS: ROSA Virtualization 3.0 unaffected versions = lz4-1.8.3-5.rv30 affected versions lz4-1.8.3-5.rv30 CVE-ID: CVE-2019-17543 BDU-ID: 2023-07612 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the LZ4 lossless data compression algorithm is related to writing beyond buffer...

Unity Linux 20.1070a Security Update: kernel (UTSA-2026-004803)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004803 advisory. In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4decompresssafepartial read out of bound When partialDecoding, it is EOF if we've eith...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-002516)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002516 advisory. Integer overflow in the LZ4 algorithm implementation, as used in Yann Collet LZ4 before r118 and in the lz4uncompress function in lib/lz4/lz4decompress.c in the Linu...

ae.teletronics.nlp:categorisation (>=1.3 <=1.6), ae.teletronics.nlp:entityextraction (>=1.3 <=1.4) +4953 more potentially affected by CVE-2025-66566 via net.jpountz.lz4:lz4 (>=1.1.0 <=1.3.0)

net.jpountz.lz4:lz4 MAVEN version =1.1.0, =1.3, =1.3, =0.42.1, =1.3.0, =0.13.0, =1.1.0, =0.13.0, =0.13.0, =0.13.0, =0.13.0, =0.10.0, =0.13.0, =v1.1.0-226-g847ecff2d8e26f249422247d7665fe15f07b1744 and more Source cves: CVE-2025-66566 Source advisory: OSV:GHSA-CMP6-M4WJ-Q63Q...

ae.teletronics.nlp:categorisation (>=1.3 <=1.6), ae.teletronics.nlp:entityextraction (>=1.3 <=1.4) +4953 more potentially affected by CVE-2025-12183 +1 more via net.jpountz.lz4:lz4 (>=1.1.0 <=1.3.0)

net.jpountz.lz4:lz4 MAVEN version =1.1.0, =1.3, =1.3, =0.42.1, =1.3.0, =0.13.0, =1.1.0, =0.13.0, =0.13.0, =0.13.0, =0.13.0, =0.10.0, =0.13.0, =v1.1.0-226-g847ecff2d8e26f249422247d7665fe15f07b1744 and more Source cves: CVE-2025-12183, CVE-2025-66566 Source advisory: SNYK:JAVA-NETJPOUNTZLZ4-1421937...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read due to the use of the insecure LZ4decompressfast in the underlying lz4 library, which lacks bounds checks. An attacker can cause denial of service or access sensitive memory contents by providing specially crafted...

Low: firefox

Issue Overview: No CVE associated with this advisory Affected Packages: firefox Issue Correction: Run dnf update firefox --releasever 2023.9.20251110 or dnf update --advisory ALAS2023-2025-1284 --releasever 2023.9.20251110 to update your system. More information on how to update your system can b...

Security Bulletin: IBM DataPower Gateway vulnerable to data corruption due to LZ4 (CVE-2019-17543)

Summary LZ4 is used in multiple components of IBM DataPower Gateway Vulnerability Details CVEID:CVE-2019-17543 DESCRIPTION: LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 related to LZ4compressdestSize, affecting applications that call LZ4compressfast with a large input. This iss...

Linux Distros Unpatched Vulnerability : CVE-2025-62813

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LZ4 through 1.10.0 allows attackers to cause a denial of service application crash or possibly have unspecified other impact when the application processes...

Unity Linux 20.1060e / 20.1070e Security Update: lz4 (UTSA-2025-988593)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-988593 advisory. LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 related to LZ4compressdestSize, affecting applications that call LZ4compressfast with a large input...

CVE-2025-62813

Removed by vendor...

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-7.3.1)

The version of AOS installed on the remote host is prior to 7.3.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-7.3.1 advisory. - LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 related to LZ4compressdestSize, affecting applications that cal...

EUVD-2019-7893

Malware in sbrugna...

EUVD-2014-4634

Malware in sbrugna...

EUVD-2022-55126

Malicious code in bioql PyPI...

TencentOS Server 3: lz4 (TSSA-2025:0681)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0681 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

lz4: heap-based buffer overflow in LZ4_write32

LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4write32 related to LZ4compressdestSize, affecting applications that call LZ4compressfast with a large input. This issue can also lead to data corruption. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."...

RHEL 8 : lz4 (RHSA-2025:11035)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:11035 advisory. The lz4 packages provide support for LZ4, a very fast, lossless compression algorithm that provides compression speeds of 400 MB/s per core and scal...