CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31115 – XZ has a heap-use-after-free bug in threaded .xz decoder
https://notcve.org/view.php?id=CVE-2025-31115
03 Apr 2025 — XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8,... • https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 • CWE-366: Race Condition within a Thread CWE-416: Use After Free CWE-476: NULL Pointer Dereference CWE-826: Premature Release of Resource During Expected Lifetime •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47611 – XZ Utils on Microsoft Windows platform are vulnerable to argument injection
https://notcve.org/view.php?id=CVE-2024-47611
02 Oct 2024 — XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command line tools from XZ Utils 5.6.2 and older have a command line argument injection vulnerability. If a command line contains Unicode characters (for example, filenames) that don't exist in the current legacy code page, the characters are converted to similar-looking characters with best-fit mapping. Some best-fit mappings result in ASCII characters that change the ... • https://github.com/tukaani-project/xz/commit/bf518b9ba446327a062ddfe67e7e0a5baed2394f • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE-176: Improper Handling of Unicode Encoding •
CVSS: 10.0EPSS: 91%CPEs: 2EXPL: 60CVE-2024-3094 – Xz: malicious code in distributed source
https://notcve.org/view.php?id=CVE-2024-3094
29 Mar 2024 — Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. Se descubrió código mali... • https://github.com/r0binak/xzk8s • CWE-506: Embedded Malicious Code •