CVE-2026-32829
Out-of-Bounds Read in lz4_flex Decompression Leaks Data
Publication date: 2026-03-20
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pseitz | lz4_flex | to 0.11.6 (exc) |
| pseitz | lz4_flex | 0.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-823 | The product performs pointer arithmetic on a valid pointer, but it uses an offset that can point outside of the intended range of valid memory locations for the resulting pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32829 is a vulnerability in the Rust crate lz4_flex, specifically affecting its block-based decompression API. The issue arises because the library does not properly validate offset values during LZ4 "match copy operations," which are used to duplicate data from previously decompressed output or a user-supplied dictionary.'}, {'type': 'paragraph', 'content': 'Due to this improper validation, decompressing invalid or malformed LZ4 data can cause the library to read out-of-bounds memory from the output buffer. This can lead to leakage of sensitive information from uninitialized memory or leftover data from previous decompression operations.'}, {'type': 'paragraph', 'content': 'The vulnerability affects versions 0.11.5 and below, and 0.12.0 of lz4_flex, and impacts block-based API functions such as decompress_into and decompress_into_with_dict when the safe-decode feature is disabled. Frame-based APIs are not affected.'}, {'type': 'paragraph', 'content': 'This flaw can expose sensitive or secret data without requiring any privileges or user interaction. The issue has been fixed in versions 0.11.6 and 0.12.1 by adding strict validation of match offsets and improved error handling.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive information from memory during decompression of crafted or invalid LZ4 compressed data.
- An attacker can exploit the improper offset validation to cause the decompression function to read and output uninitialized memory or leftover data from previous decompression operations.
- This results in a high-severity information leak, potentially exposing secrets or sensitive data without requiring any privileges or user interaction.
- The attack vector is network-based and has low complexity, meaning it can be exploited remotely with relative ease.
If you use vulnerable versions of lz4_flex in your software, especially the block-based decompression APIs without the safe-decode feature enabled, your applications could unintentionally leak sensitive memory contents to attackers.
Mitigation involves upgrading to patched versions or zeroing the output buffer before decompression and enabling safe-decode.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves improper validation of offset values during decompression of LZ4 data using the lz4_flex Rust crate's block-based API. Detection involves identifying usage of vulnerable versions (β€ 0.11.5 and 0.12.0) of lz4_flex in your software stack, especially if the block-based decompression functions are used."}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by decompressing crafted or malformed LZ4 input, monitoring for suspicious or malformed LZ4 compressed data being processed can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'There are no specific built-in commands provided in the resources for direct detection on a network or system. However, you can:'}, {'type': 'list_item', 'content': 'Check the version of lz4_flex used in your Rust projects or dependencies by inspecting Cargo.lock or running `cargo tree | grep lz4_flex`.'}, {'type': 'list_item', 'content': 'Audit logs or network traffic for LZ4 compressed data streams and analyze them for malformed or invalid LZ4 blocks that could trigger the vulnerability.'}, {'type': 'list_item', 'content': 'Use fuzz testing or custom test scripts to feed invalid LZ4 compressed data to the decompression functions and observe if uninitialized memory or unexpected data is leaked.'}, {'type': 'paragraph', 'content': 'No explicit detection commands are provided in the resources.'}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the lz4_flex Rust crate to a patched version:
- Upgrade to lz4_flex version 0.11.6 or later, or 0.12.1 or later, where the offset validation logic has been fixed.
If upgrading is not immediately feasible, apply the following mitigations:
- Enable the `safe-decode` feature flag in lz4_flex to ensure safer decompression behavior.
- Zero out the output buffer before each decompression call to prevent leaking uninitialized or previous decompression data.
These steps reduce the risk of sensitive data leakage during decompression of invalid or malicious LZ4 data.