Linux Kernel LZ4 Decompression Out-of-Bounds Read Vulnerability

Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's handling of LZ4 decompression. This issue arises in the LZ4_decompress_safe_partial function, where partial decoding can lead to an out-of-bounds read. The vulnerability occurs when the decompression routine encounters corrupted compressed data, creating extreme corner cases that the current decoding logic cannot properly handle. This problem was introduced when the decompression routine was ported from LZ4 version 1.8.3, and while the LZ4 upstream has addressed the issue, integrating the latest version into the Linux kernel will require significant effort.

Impact

Exploitation of this vulnerability can lead to out-of-bounds read, potentially allowing for memory corruption or information disclosure.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

9.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Linux Kernel LZ4 Decompression Out-of-Bounds Read Vulnerability

Vulnerability

Impact

Affected Products

Linux kernel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating