CVE-2020-22916

2023-08-2200:00:00

ubuntu.com

xz compression

denial of service

crafted file

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

28.3%

JSON

DISPUTED An issue discovered in XZ 5.2.5 allows attackers to cause a
denial of service via decompression of a crafted file. NOTE: the vendor
disputes the claims of “endless output” and “denial of service” because
decompression of the 17,486 bytes always results in 114,881,179 bytes,
which is often a reasonable size increase.

Notes

Author	Note
mdeslaur	There are no details about this ancient CVE. The original URL is gone and the xz-utils developers can’t reproduce it as of 2023-09-15.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchxz-utils< anyUNKNOWN
ubuntu20.04noarchxz-utils< anyUNKNOWN
ubuntu22.04noarchxz-utils< anyUNKNOWN
ubuntu24.04noarchxz-utils< anyUNKNOWN
ubuntu14.04noarchxz-utils< anyUNKNOWN
ubuntu16.04noarchxz-utils< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	xz-utils	< any	UNKNOWN
ubuntu	20.04	noarch	xz-utils	< any	UNKNOWN
ubuntu	22.04	noarch	xz-utils	< any	UNKNOWN
ubuntu	24.04	noarch	xz-utils	< any	UNKNOWN
ubuntu	14.04	noarch	xz-utils	< any	UNKNOWN
ubuntu	16.04	noarch	xz-utils	< any	UNKNOWN