CVE-2026-34743
Received Received - Intake
Buffer Overflow in XZ Utils lzma_index_decoder Before

Publication date: 2026-04-02

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34743
EUVD
EUVD-2026-18505
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tukaani xz to 5.8.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34743 is a buffer overflow vulnerability in the XZ Utils library, specifically in the function lzma_index_append(). It occurs when lzma_index_decoder() is used to decode an Index that contains no Records. In this case, the resulting lzma_index structure is left in a state where a subsequent call to lzma_index_append() allocates too little memory, causing a buffer overflow.

This issue arises because when decoding an empty Index, an internal value called prealloc remains zero instead of being set to a default size. If lzma_index_append() is then called, it allocates insufficient memory based on this zero value, leading to the overflow.

Although the specific sequence of function calls needed to trigger this bug is rare in real-world applications and the lzma_index functions are rarely used directly by applications, the vulnerability affects all stable releases of XZ Utils up to and including version 5.8.2 and has been fixed in version 5.8.3.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-34743 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can lead to a buffer overflow, which is a type of memory corruption. Buffer overflows can potentially be exploited to cause crashes, unexpected behavior, or in some cases, arbitrary code execution.

However, the vulnerability requires a rare and specific sequence of API calls (decoding an empty Index followed by appending Records), which is unlikely to occur in typical real-world applications. Additionally, the lzma_index functions involved are rarely used directly by applications.

Therefore, while the vulnerability represents a security risk, its practical impact is considered low.

Detection Guidance

This vulnerability is related to a buffer overflow in the lzma_index_append() function of the XZ Utils library when decoding an Index containing no Records. Since the issue arises from a specific internal state of the lzma_index structure and a rare sequence of API calls, it is not typically detectable through network traffic or common system scans.

Detection would primarily involve checking the version of the XZ Utils or liblzma library installed on your system to determine if it is vulnerable (any version prior to 5.8.3).

Suggested commands to check the installed version of xz or liblzma on a Unix-like system include:

  • xz --version
  • lzma --version

If these commands show a version earlier than 5.8.3, the system is potentially vulnerable.

Mitigation Strategies

The primary mitigation step is to upgrade the XZ Utils and liblzma library to version 5.8.3 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, avoid using or exposing applications that directly use the lzma_index_append() and lzma_index_decoder() functions with potentially empty Index data, although this sequence is rare in real-world applications.

Additionally, monitor for updates or patches from your operating system or software vendor that backport the fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34743. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart