CVE-2025-31115Race Condition within a Thread in Xz-utils

CWE-366Race Condition within a ThreadCWE-416Use After FreeCWE-476NULL Pointer DereferenceCWE-826Premature Release of Resource During Expected LifetimeCWE-823Use of Out-of-range Pointer Offset9 documents8 sources
Severity
8.7HIGHNVD
EPSS
0.3%
top 50.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Debian Xz-utilsTukaani-project XZMsrc Azl3 XZ 5.4.4-2 ON Azure Linux 3.0
Timeline
PublishedApr 3
Latest updateNov 14

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4,

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

debiandebian/xz-utils< xz-utils 5.4.1-1 (bookworm)
CVEListV5tukaani-project/xz>= 5.3.3alpha, < 5.8.1

🔴Vulnerability Details

2
OSV
Use after free in multithreaded lzma (.xz) decoder2025-11-14
OSV
CVE-2025-31115: XZ Utils provide a general-purpose data-compression library plus command-line tools2025-04-03

📋Vendor Advisories

6
BSD
FreeBSD-SA-25:06.xz: Use-after-free in multi-threaded xz decoder2025-07-02
CISA ICS
Siemens SIMATIC S7-1500 CPU Family2025-06-12
Microsoft
XZ has a heap-use-after-free bug in threaded .xz decoder2025-04-08
Ubuntu
XZ Utils vulnerability2025-04-03
Red Hat
xz: XZ has a heap-use-after-free bug in threaded .xz decoder2025-04-03