CVE-2025-15570

EUVD-2025-207358
A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
ckolivaslrzip
𝑥
≤ 0.651
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
lrzip
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
0.660-1
fixed
sid
0.660-1
fixed
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/ckolivas/lrzip/
https://github.com/ckolivas/lrzip/issues/262
https://github.com/user-attachments/files/21709004/PoC_UAF.zip
https://vuldb.com/?ctiid.344926
https://vuldb.com/?id.344926
https://vuldb.com/?submit.752595