CVE-2026-32829
HIGH
8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 'match copy operations,' allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
201
Insertion of Sensitive Information Into Sent Data
DraftCommon Consequences
Security Scopes Affected:
Confidentiality
Potential Impacts:
Read Files Or Directories
Read Memory
Read Application Data
Applicable Platforms
All platforms may be affected
823
Use of Out-of-range Pointer Offset
IncompleteCommon Consequences
Security Scopes Affected:
Confidentiality
Availability
Integrity
Potential Impacts:
Read Memory
Dos: Crash, Exit, Or Restart
Execute Unauthorized Code Or Commands
Modify Memory
Applicable Platforms
Languages:
C, C++, Memory-Unsafe
https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9…
https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv
https://rustsec.org/advisories/RUSTSEC-2026-0041.html