CVE-2025-31115

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GitHub_MCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 29%
Debian logo
Debian Releases
Debian Product
Codename
xz-utils
bullseye (security)
5.2.5-2.1~deb11u1
fixed
bullseye
5.2.5-2.1~deb11u1
not-affected
bookworm
5.4.1-1
fixed
bookworm (security)
5.4.1-1
fixed
sid
5.8.1-1
fixed
trixie
5.8.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xz-utils
plucky
Fixed 5.6.4-1ubuntu1
released
oracular
Fixed 5.6.2-2ubuntu0.2
released
noble
Fixed 5.6.1+really5.4.5-1ubuntu0.2
released
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
https://tukaani.org/xz/xz-cve-2025-31115.patch
http://www.openwall.com/lists/oss-security/2025/04/03/1
http://www.openwall.com/lists/oss-security/2025/04/03/2
http://www.openwall.com/lists/oss-security/2025/04/03/3