CVE-2025-31115

CVE-2025-31115

Name

CVE-2025-31115

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
MISC	https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
MISC	https://tukaani.org/xz/xz-cve-2025-31115.patch
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/04/03/1
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/04/03/2
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/04/03/3

Type

URI

CONFIRM

https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2

MISC

https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480

MISC

https://tukaani.org/xz/xz-cve-2025-31115.patch

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/04/03/1

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/04/03/2

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/04/03/3

CPE URI	Source package	Min version	Max version
	xz	>= 5.3.3alpha	< 5.8.1

CPE URI

Source package

Min version

Max version

>= 5.3.3alpha

< 5.8.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
xz	edge-main	5.8.1-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	edge-main	5.8.0-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	edge-main	5.6.4-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	edge-main	5.6.3-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	edge-main	5.6.1-r3	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	edge-main	5.6.1-r2	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	edge-main	5.6.1-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	3.23-main	5.8.1-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	3.22-main	5.8.1-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	3.22-main	5.6.1-r2	None	possibly vulnerable
xz	3.21-main	5.6.3-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	3.21-main	5.6.3-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
xz	3.21-main	5.6.1-r2	None	possibly vulnerable
xz	3.20-main	5.6.2-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	3.20-main	5.6.2-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
xz	3.20-main	5.6.1-r3	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
xz	3.20-main	5.6.1-r2	None	possibly vulnerable
xz	3.19-main	5.4.5-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed
xz	3.19-main	5.4.5-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
xz	3.18-main	5.4.3-r1	Natanael Copa <ncopa@alpinelinux.org>	fixed

Source package

Branch

Version

Maintainer

Status

edge-main

5.8.1-r0

Natanael Copa <ncopa@alpinelinux.org>

fixed

edge-main

5.8.0-r0

Natanael Copa <ncopa@alpinelinux.org>