Description
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Published: 2025-08-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26149 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
Github GHSA Github GHSA GHSA-jc7w-c686-c4v9 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
History

Fri, 29 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 Aug 2025 22:00:00 +0000

Type Values Removed Values Added
Description xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Title github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2025-08-29T13:23:07.497Z

Reserved: 2025-08-22T14:30:32.221Z

Link: CVE-2025-58058

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-08-28T22:15:32.577

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-58058

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-28T21:54:05Z

Links: CVE-2025-58058 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses