CVE-2026-32829

EUVD-2026-13426

20.03.2026, 01:15

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0,  decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Affected Products (NVD)

Vendor	Product	Version
pseitz	lz4_flex	𝑥 < 0.11.6
pseitz	lz4_flex	0.12.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rust-lz4-flex

forky	0.13.0-1 fixed
sid	0.13.0-1 fixed
trixie	no-dsa

Ubuntu Releases

Ubuntu Product

Codename

rust-lz4-flex

jammy	dne
noble	needs-triage
questing	needs-triage
resolute	needs-triage

Common Weakness Enumeration

CWE-201 - Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

References

https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d

https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv

https://rustsec.org/advisories/RUSTSEC-2026-0041.html