CVE-2026-34743

EUVD-2026-18505
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
1.7 LOW
NETWORK
LOW
NONE
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
tukaanixz
𝑥
< 5.8.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xz-utils
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87
https://github.com/tukaani-project/xz/releases/tag/v5.8.3
https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv
http://www.openwall.com/lists/oss-security/2026/03/31/13