CVE-2026-32829
Received Received - Intake
Out-of-Bounds Read in lz4_flex Decompression Leaks Data

Publication date: 2026-03-20

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32829
EUVD
EUVD-2026-13426
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pseitz lz4_flex to 0.11.6 (exc)
pseitz lz4_flex 0.12.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-201 The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
CWE-823 The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32829 is a vulnerability in the Rust crate lz4_flex, specifically affecting its block-based decompression API. The issue arises because the library does not properly validate offset values during LZ4 "match copy operations," which are used to duplicate data from previously decompressed output or a user-supplied dictionary.'}, {'type': 'paragraph', 'content': 'Due to this improper validation, decompressing invalid or malformed LZ4 data can cause the library to read out-of-bounds memory from the output buffer. This can lead to leakage of sensitive information from uninitialized memory or leftover data from previous decompression operations.'}, {'type': 'paragraph', 'content': 'The vulnerability affects versions 0.11.5 and below, and 0.12.0 of lz4_flex, and impacts block-based API functions such as decompress_into and decompress_into_with_dict when the safe-decode feature is disabled. Frame-based APIs are not affected.'}, {'type': 'paragraph', 'content': 'This flaw can expose sensitive or secret data without requiring any privileges or user interaction. The issue has been fixed in versions 0.11.6 and 0.12.1 by adding strict validation of match offsets and improved error handling.'}] [1, 2]

Impact Analysis

This vulnerability can lead to the exposure of sensitive information from memory during decompression of crafted or invalid LZ4 compressed data.

  • An attacker can exploit the improper offset validation to cause the decompression function to read and output uninitialized memory or leftover data from previous decompression operations.
  • This results in a high-severity information leak, potentially exposing secrets or sensitive data without requiring any privileges or user interaction.
  • The attack vector is network-based and has low complexity, meaning it can be exploited remotely with relative ease.

If you use vulnerable versions of lz4_flex in your software, especially the block-based decompression APIs without the safe-decode feature enabled, your applications could unintentionally leak sensitive memory contents to attackers.

Mitigation involves upgrading to patched versions or zeroing the output buffer before decompression and enabling safe-decode.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves improper validation of offset values during decompression of LZ4 data using the lz4_flex Rust crate's block-based API. Detection involves identifying usage of vulnerable versions (≀ 0.11.5 and 0.12.0) of lz4_flex in your software stack, especially if the block-based decompression functions are used."}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by decompressing crafted or malformed LZ4 input, monitoring for suspicious or malformed LZ4 compressed data being processed can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'There are no specific built-in commands provided in the resources for direct detection on a network or system. However, you can:'}, {'type': 'list_item', 'content': 'Check the version of lz4_flex used in your Rust projects or dependencies by inspecting Cargo.lock or running `cargo tree | grep lz4_flex`.'}, {'type': 'list_item', 'content': 'Audit logs or network traffic for LZ4 compressed data streams and analyze them for malformed or invalid LZ4 blocks that could trigger the vulnerability.'}, {'type': 'list_item', 'content': 'Use fuzz testing or custom test scripts to feed invalid LZ4 compressed data to the decompression functions and observe if uninitialized memory or unexpected data is leaked.'}, {'type': 'paragraph', 'content': 'No explicit detection commands are provided in the resources.'}] [1, 2, 3]

Mitigation Strategies

The primary mitigation is to upgrade the lz4_flex Rust crate to a patched version:

  • Upgrade to lz4_flex version 0.11.6 or later, or 0.12.1 or later, where the offset validation logic has been fixed.

If upgrading is not immediately feasible, apply the following mitigations:

  • Enable the `safe-decode` feature flag in lz4_flex to ensure safer decompression behavior.
  • Zero out the output buffer before each decompression call to prevent leaking uninitialized or previous decompression data.

These steps reduce the risk of sensitive data leakage during decompression of invalid or malicious LZ4 data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32829. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart