Allocation Of Resources Without Limits

github.com/ulikunitz/xz is vulnerable to Allocation Of Resources Without Limits. The vulnerability is due to denial of service due to improper header validation that allows arbitrary data to be prepended to an LZMA stream, causing the implementation to allocate a full decode buffer and consume...

AZL-66747 CVE-2025-58058 affecting package containerized-data-importer for versions less than 1.57.0-16

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current...

AZL-66735 CVE-2025-58058 affecting package jx for versions less than 3.2.236-23

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current...

CVE-2025-58058 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current...

The vulnerability of the lzma_stream_decoder_mt() function in the liblzma library, a data compression package for XZ Utils, allows a hacker to cause a service failure.

The vulnerability of the lzmastreamdecodermt function in the liblzma library, a component of the XZ Utils data compression package, involves premature resource release due to pointer aliasing. Exploiting this vulnerability could allow a remote attacker to cause service interruptions...

xz: XZ has a heap-use-after-free bug in threaded .xz decoder

A flaw was found in the XZ Utils library. In affected versions, the multithreaded .xz decoder in liblzma has a bug where invalid input can trigger a heap use-after-free condition, allowing writes to an address based on the null pointer plus an offset. This issue may result in a crash or other...

CVE-2025-31115 XZ has a heap-use-after-free bug in threaded .xz decoder

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...