CVE-2026-34743
Buffer Overflow in XZ Utils lzma_index_decoder Before
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tukaani | xz | to 5.8.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-34743 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34743 is a buffer overflow vulnerability in the XZ Utils library, specifically in the function lzma_index_append(). It occurs when lzma_index_decoder() is used to decode an Index that contains no Records. In this case, the resulting lzma_index structure is left in a state where a subsequent call to lzma_index_append() allocates too little memory, causing a buffer overflow.
This issue arises because when decoding an empty Index, an internal value called prealloc remains zero instead of being set to a default size. If lzma_index_append() is then called, it allocates insufficient memory based on this zero value, leading to the overflow.
Although the specific sequence of function calls needed to trigger this bug is rare in real-world applications and the lzma_index functions are rarely used directly by applications, the vulnerability affects all stable releases of XZ Utils up to and including version 5.8.2 and has been fixed in version 5.8.3.
How can this vulnerability impact me? :
This vulnerability can lead to a buffer overflow, which is a type of memory corruption. Buffer overflows can potentially be exploited to cause crashes, unexpected behavior, or in some cases, arbitrary code execution.
However, the vulnerability requires a rare and specific sequence of API calls (decoding an empty Index followed by appending Records), which is unlikely to occur in typical real-world applications. Additionally, the lzma_index functions involved are rarely used directly by applications.
Therefore, while the vulnerability represents a security risk, its practical impact is considered low.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to a buffer overflow in the lzma_index_append() function of the XZ Utils library when decoding an Index containing no Records. Since the issue arises from a specific internal state of the lzma_index structure and a rare sequence of API calls, it is not typically detectable through network traffic or common system scans.
Detection would primarily involve checking the version of the XZ Utils or liblzma library installed on your system to determine if it is vulnerable (any version prior to 5.8.3).
Suggested commands to check the installed version of xz or liblzma on a Unix-like system include:
- xz --version
- lzma --version
If these commands show a version earlier than 5.8.3, the system is potentially vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the XZ Utils and liblzma library to version 5.8.3 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, avoid using or exposing applications that directly use the lzma_index_append() and lzma_index_decoder() functions with potentially empty Index data, although this sequence is rare in real-world applications.
Additionally, monitor for updates or patches from your operating system or software vendor that backport the fix.