CVE-2021-3520
published 2021-06-02CVE-2021-3520: There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | lz4 | < lz4 1.9.3-2 (bookworm) | lz4 1.9.3-2 (bookworm) |
| lz4_project | lz4 | — | — |
| lz4_project | lz4 | >= 0 < 1.9.3-2 | 1.9.3-2 |
| lz4_project | lz4 | >= 0 < 1.9.3-2 | 1.9.3-2 |
| lz4_project | lz4 | >= 0 < 1.9.3-2 | 1.9.3-2 |
| lz4_project | lz4 | >= 0 < 1.9.3-2 | 1.9.3-2 |
| lz4_project | lz4 | >= 1.8.3 < 1.9.4 | 1.9.4 |
| oracle | communications_cloud_native_core_policy | — | — |
| oracle | zfs_storage_appliance_kit | — | — |
| splunk | universal_forwarder | — | — |
| splunk | universal_forwarder | >= 8.2.0 < 8.2.12 | 8.2.12 |
| splunk | universal_forwarder | >= 9.0.0 < 9.0.6 | 9.0.6 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL