CVE-2026-34743

EUVD-2026-18505
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
tukaanixz
𝑥
< 5.8.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xz-utils
bookworm
no-dsa
bookworm (security)
vulnerable
bullseye
postponed
bullseye (security)
vulnerable
forky
5.8.3-1
fixed
sid
5.8.3-1
fixed
trixie
no-dsa
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
liblzma5
suse enterprise desktop 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise sap 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise server 12 SP3
5.0.5-6.10.1
fixed
suse enterprise server 12 SP5
5.0.5-6.10.1
fixed
suse enterprise server 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP6
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP7
5.4.1-150600.3.6.1
fixed
liblzma5-32bit
suse enterprise desktop 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise sap 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise server 12 SP3
5.0.5-6.10.1
fixed
suse enterprise server 12 SP5
5.0.5-6.10.1
fixed
suse enterprise server 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP6
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP7
5.4.1-150600.3.6.1
fixed
xz
suse enterprise desktop 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise sap 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise server 12 SP3
5.0.5-6.10.1
fixed
suse enterprise server 12 SP5
5.0.5-6.10.1
fixed
suse enterprise server 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP6
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP7
5.4.1-150600.3.6.1
fixed
xz-devel
suse enterprise desktop 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise sap 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise server 12 SP5
5.0.5-6.10.1
fixed
suse enterprise server 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP6
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP7
5.4.1-150600.3.6.1
fixed
xz-lang
suse enterprise desktop 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise sap 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise server 12 SP3
5.0.5-6.10.1
fixed
suse enterprise server 12 SP5
5.0.5-6.10.1
fixed
suse enterprise server 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP6
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP7
5.4.1-150600.3.6.1
fixed
xz-static-devel
suse enterprise desktop 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise sap 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise sap 15 SP7
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP4
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP5
5.2.3-150000.4.10.1
fixed
suse enterprise server 15 SP6
5.4.1-150600.3.6.1
fixed
suse enterprise server 15 SP7
5.4.1-150600.3.6.1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
rust
Azure Linux 3.0
0:1.75.0-28.azl3
fixed
xz
Azure Linux 3.0
0:5.4.4-3.azl3
fixed