Description
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
Published: 2026-04-02
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption
Action: Patch
AI Analysis

Impact

A buffer overflow occurs in XZ Utils when the lzma_index_decoder function processes an index containing no records. In this state, the resulting lzma_index is configured so that a subsequent call to lzma_index_append allocates insufficient memory, leading to a memory corruption error. The overflow could be used to overwrite memory and compromise program integrity, potentially allowing arbitrary code execution or causing a crash.

Affected Systems

All users of the tukaani-project:xz library running a version older than 5.8.3 are affected. This includes the XZ Utils package found in many Linux distributions, macOS, and other operating systems that rely on this compression tool for file handling or data transfer. The vulnerability applies to any application that employs lzma_index_decoder on empty indices and then appends records via lzma_index_append.

Risk and Exploitability

The CVSS score of 1.7 and an EPSS below 1% indicate a low overall risk and a very small probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation to date. Exploitation would require the attacker to supply a crafted index file with no records to an affected application, implying a local or privileged context. No public remote attack vector is described, so the risk remains low without a direct network-facing component.

Generated by OpenCVE AI on April 4, 2026 at 03:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply XZ Utils version 5.8.3 or later, which contains the fix for the overflow

Generated by OpenCVE AI on April 4, 2026 at 03:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Tukaani
Tukaani xz
CPEs cpe:2.3:a:tukaani:xz:*:*:*:*:*:*:*:*
Vendors & Products Tukaani
Tukaani xz

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Fri, 03 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Tukaani-project
Tukaani-project xz
Vendors & Products Tukaani-project
Tukaani-project xz

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
Title XZ Utils: Buffer overflow in lzma_index_append()
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Tukaani Xz
Tukaani-project Xz
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T12:59:06.096Z

Reserved: 2026-03-30T19:17:10.224Z

Link: CVE-2026-34743

cve-icon Vulnrichment

Updated: 2026-04-02T19:24:10.537Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T19:21:33.187

Modified: 2026-04-15T17:33:17.680

Link: CVE-2026-34743

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T18:36:37Z

Links: CVE-2026-34743 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:55:30Z

Weaknesses