CVE-2021-3520

Name
CVE-2021-3520
Description
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://bugzilla.redhat.com/show_bug.cgi?id=1954559
N/A https://www.oracle.com//security-alerts/cpujul2021.html
MISC https://www.oracle.com/security-alerts/cpuoct2021.html
CONFIRM https://security.netapp.com/advisory/ntap-20211104-0005/
MISC https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:lz4_project:lz4:1.8.3:*:*:*:*:*:*:* lz4 == None == 1.8.3

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
lz4 3.15-main 1.9.3-r1 Stuart Cardall <developer@it-offshore.co.uk> fixed
lz4 3.14-main 1.9.3-r1 Stuart Cardall <developer@it-offshore.co.uk> fixed
lz4 3.13-main 1.9.2-r1 Stuart Cardall <developer@it-offshore.co.uk> fixed
lz4 3.12-main 1.9.2-r1 Stuart Cardall <developer@it-offshore.co.uk> fixed
lz4 3.16-main 1.9.3-r1 Stuart Cardall <developer@it-offshore.co.uk> fixed