Description
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
Published: 2026-03-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure due to out-of-bounds read during LZ4 decompression
Action: Immediate patch
AI Analysis

Impact

lZ4_flex, a pure Rust LZ4 compression library, contains a flaw that permits the extraction of secrets from uninitialized memory or from prior decompression operations. The bug arises when invalid LZ4 data causes the library to fail in validating offset values during match copy operations, leading to out-of-bounds reads from the output buffer. The vulnerability is captured by CWE‑201 and CWE‑823 and results in the potential leakage of sensitive data through crafted or malformed input streams.

Affected Systems

The affected product is the lz4_flex library from PSeitz, specifically versions 0.11.5 and earlier, as well as version 0.12.0. The block‑based decompression APIs, including decompress_into and decompress_into_with_dict, are vulnerable when the safe-decode feature is disabled. Frame‑based APIs remain unaffected.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. EPSS is below 1 %, reflecting a low likelihood that the vulnerability is actively exploited in the wild, and it is not listed in CISA’s KEV catalog. Attackers would need to deliver malicious LZ4 payloads that target the vulnerable block‑based decompression functions. The impact is confined to environments that process untrusted LZ4 data with this library; as the breach is information disclosure, a successful exploit would expose data or secrets contained in memory.

Generated by OpenCVE AI on March 30, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update lz4_flex to version 0.11.6 or newer, or to 0.12.1 or a later release where the issue is fixed.

Generated by OpenCVE AI on March 30, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vvp9-7p8x-rfvv lz4_flex's decompression can leak information from uninitialized memory or reused output buffer
History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pseitz:lz4_flex:*:*:*:*:*:rust:*:*
cpe:2.3:a:pseitz:lz4_flex:0.12.0:*:*:*:*:rust:*:*

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
Title lz4_flex: lz4_flex's decompression can leak information from uninitialized memory or reused output buffer lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer
Weaknesses CWE-201
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Pseitz
Pseitz lz4 Flex
Vendors & Products Pseitz
Pseitz lz4 Flex

Thu, 19 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title lz4_flex: lz4_flex's decompression can leak information from uninitialized memory or reused output buffer
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Subscriptions

Pseitz Lz4 Flex
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-21T03:03:09.928Z

Reserved: 2026-03-16T17:35:36.698Z

Link: CVE-2026-32829

cve-icon Vulnrichment

Updated: 2026-03-21T03:03:04.108Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T01:15:56.277

Modified: 2026-03-30T15:05:23.410

Link: CVE-2026-32829

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-16T20:48:08Z

Links: CVE-2026-32829 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:20Z

Weaknesses