- Description
- XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
- Source
- security-advisories@github.com
- NVD status
- Received
CVSS 4.0
- Type
- Secondary
- Base score
- 8.7
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- HIGH
- security-advisories@github.com
- CWE-366
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
๐จ CVE-2025-31115 ๐ด HIGH (8.7) ๐ข tukaani-project - xz ๐๏ธ >= 5.3.3alpha, < 5.8.1 ๐ https://t.co/NeFth3KWYw ๐ https://t.co/XUPCoQ59j1 ๐ https://t.co/W44EvfHH0C #CyberCron #VulnAlert #InfoSec https://t.co/al2ETB3L1n
@cybercronai
4 Apr 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31115: XZ Utils: Threaded decoder frees memory too early https://t.co/imwJoiEvmv At least a crash (denial of service). Heap use after free and writing to an address based on the null pointer plus an offset. Affects versions from 5.3.3alpha to 5.8.0. Fixed in 5.8.1.
@oss_security
3 Apr 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31115 XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bโฆ https://t.co/Wy62b6xSv7
@CVEnew
3 Apr 2025
103 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-31115: HIGH] XZ Utils versions 5.3.3alpha to 5.8.0 had a bug in the multithreaded .xz decoder, leading to crashes due to invalid input. The issue is resolved in version 5.8.1 with a patch available for ...#cybersecurity,#vulnerability https://t.co/oIRRchSFAk https://t.c
@CveFindCom
3 Apr 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-31115 fixes for new xz vulnerability applied to stable/3.2 and master branches. will be part of the next release, 3.2.3. https://t.co/IEsj14Pw8S
@midnightbsd
3 Apr 2025
47 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes