Primary

Context

XZ Utils Heap Use After Free Vulnerability in Multithreaded .xz Decoder

Vulnerability

A vulnerability in XZ Utils versions 5.3.3alpha through 5.8.0 allows invalid input to the multithreaded .xz decoder in liblzma to cause a crash. This issue leads to heap use after free and writing to an address derived from a null pointer plus an offset. The vulnerability affects applications and libraries that utilize the 'lzma_stream_decoder_mt' function.

Impact

Exploitation of this vulnerability causes a crash and introduces a denial-of-service condition. However, on 32-bit systems, particularly those without Position Independent Executable (PIE) enabled, it may be possible to exploit the vulnerability to gain control of the process.

Remediation

The vulnerability has been fixed in XZ Utils version 5.8.1. While no new release packages will be made from the old stable branches, a standalone patch is available that applies to all affected releases.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.1

remediation

0.0

relevance

0.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

XZ Utils Heap Use After Free Vulnerability in Multithreaded .xz Decoder

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating