MNBSD-2025-3: xz-utils threaded decoder is vulnerable to DOS

Severity: Unknown

Affected Package: xz-utils

Summary: xz-utils threaded decoder is vulnerable to DOS

Description

The threaded .xz decoder in liblzma has a bug that can at least result in a crash (denial of service). The effects include heap use after free and writing to an address based on the null pointer plus an offset. This affects XZ Utils versions from 5.3.3alpha to 5.8.0. Applications and libraries that use the lzma_stream_decoder_mt function are affected

Affected Versions

xz-utils

Specific versions:

3.2.0
3.2.1
3.2.2

Recommendations

update to the latest release

References

https://nvd.nist.gov/vuln/detail/CVE-2025-31115

Additional Information

Aliases: CVE-2025-31115

Published: April 03, 2025
Last Modified: April 03, 2025