CVE-2025-31115

Published Apr 3, 2025

Last updated 25 days ago

CVSS high 8.7
XZ Utils

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2025-31115 affects XZ Utils versions 5.3.3alpha to 5.8.0. It is a heap use-after-free bug found in the multithreaded decoder within the liblzma library. This vulnerability can be triggered by invalid input, potentially leading to a crash due to memory corruption. Specifically, the vulnerability occurs in the `lzma_stream_decoder_mt` function. Exploitation could result in "heap use after free and writing to an address based on the null pointer plus an offset," which may allow attackers to corrupt memory and potentially execute arbitrary code. A fix is available in XZ Utils version 5.8.1.

Description
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.7
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-366

Social media

Hype score
Not currently trending

  1. XZ Utilsのマルチスレッドデコーダーに深刻度の高い脆弱性:CVE-2025-31115 | Codebook https://t.co/H1ZxpPvkHe #izumino_trend

    @sec_trend

    7 Apr 2025

    46 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-31115: XZ Utils Hit Again with High-Severity Multithreaded Decoder Bug https://t.co/FfqrbC2TNq

    @Dinosn

    7 Apr 2025

    3967 Impressions

    15 Retweets

    52 Likes

    14 Bookmarks

    1 Reply

    0 Quotes

  3. В XZ Utils обнаружена уязвимость use-after-free (CVE-2025-31115, 8.7 балла CVSS) в декодировщике многопоточного режима liblzma, затрагивающая версии с 5.3.3alpha по 5.8.0. Подробнее https://t.co/bxRVZSJ9dU https://t.co/Hu5yEeCcSd

    @KZCERT

    7 Apr 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. XZ Utilsにメモリ破壊の脆弱性。CVE-2025-31115はCVSSv4スコア8.7で、バージョン5.3.3alphaから5.8.0に影響。liblzmaのlzma_stream_decoder_mt関数が不正な入力をデコードする際に予測外の挙動。最低でもクラッシュ、最悪では任意コード実行の可能性。 https://t.co/ZyQ9i9f59q

    @__kokumoto

    7 Apr 2025

    5650 Impressions

    10 Retweets

    8 Likes

    3 Bookmarks

    0 Replies

    1 Quote

  5. CVE-2025-31115: XZ Utils Hit Again with High-Severity Multithreaded Decoder Bug https://t.co/2VOziBqH4g

    @the_yellow_fall

    7 Apr 2025

    2834 Impressions

    29 Retweets

    64 Likes

    17 Bookmarks

    0 Replies

    1 Quote

  6. 🚨 CVE-2025-31115 🔴 HIGH (8.7) 🏢 tukaani-project - xz 🏗️ >= 5.3.3alpha, < 5.8.1 🔗 https://t.co/NeFth3KWYw 🔗 https://t.co/XUPCoQ59j1 🔗 https://t.co/W44EvfHH0C #CyberCron #VulnAlert #InfoSec https://t.co/al2ETB3L1n

    @cybercronai

    4 Apr 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-31115: XZ Utils: Threaded decoder frees memory too early https://t.co/imwJoiEvmv At least a crash (denial of service). Heap use after free and writing to an address based on the null pointer plus an offset. Affects versions from 5.3.3alpha to 5.8.0. Fixed in 5.8.1.

    @oss_security

    3 Apr 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-31115 XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a b… https://t.co/Wy62b6xSv7

    @CVEnew

    3 Apr 2025

    103 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. [CVE-2025-31115: HIGH] XZ Utils versions 5.3.3alpha to 5.8.0 had a bug in the multithreaded .xz decoder, leading to crashes due to invalid input. The issue is resolved in version 5.8.1 with a patch available for ...#cybersecurity,#vulnerability https://t.co/oIRRchSFAk https://t.c

    @CveFindCom

    3 Apr 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-31115 fixes for new xz vulnerability applied to stable/3.2 and master branches. will be part of the next release, 3.2.3. https://t.co/IEsj14Pw8S

    @midnightbsd

    3 Apr 2025

    47 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References