CVE-2026-34743

Published: April 4, 2026Last modified: May 4, 2026

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Severity score breakdown

Parameter	Value
Base score	5.3
Attack Vector	NETWORK
Attack complexity	LOW
Privileges required	NONE
User interaction	NONE
Scope	UNCHANGED
Confidentiality	NONE
Integrity impact	NONE
Availability impact	LOW
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Status

Product	Release	Package	Status
Alpaquita Linux	23 LTS	xz	Fixed (5.2.9_p525-r1)
	25 LTS	xz	Fixed (5.8.3-r0)
	Stream	xz	Fixed (5.8.3-r0)
Hardened Containers	23 LTS	xz	Fixed (5.2.9_p525-r1)
	25 LTS	xz	Fixed (5.8.3-r0)
	Stream	xz	Fixed (5.8.3-r0)

References

http://www.openwall.com/lists/oss-security/2026/03/31/13
https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
https://github.com/tukaani-project/xz/releases/tag/v5.8.3
https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv