CVE-2025-58058
published 2025-08-28CVE-2025-58058: xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
0.39%
30.3th percentile
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-ulikunitz-xz | < golang-github-ulikunitz-xz 0.5.15-1 (forky) | golang-github-ulikunitz-xz 0.5.15-1 (forky) |
| github.com | ulikunitz_xz | >= 0 < 0.5.15 | 0.5.15 |
| msrc | azl3_containerized-data-importer_1.57.0-14 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-15 | — | — |
| msrc | azl3_containerized-data-importer_1.57.0-16 | — | — |
| msrc | azl3_jx_3.10.182-1 | — | — |
| msrc | azl3_jx_3.10.182-2 | — | — |
| msrc | azl3_jx_3.10.182-3 | — | — |
| msrc | azl3_libcontainers-common_20240213-3 | — | — |
| msrc | azl3_packer_1.9.5-10 | — | — |
| msrc | azl3_packer_1.9.5-9 | — | — |
| msrc | azl3_skopeo_1.14.4-5 | — | — |
| msrc | azl3_skopeo_1.14.4-6 | — | — |
| msrc | cbl2_containerized-data-importer_1.55.0-23 | — | — |
| msrc | cbl2_containerized-data-importer_1.55.0-24 | — | — |
| msrc | cbl2_containerized-data-importer_1.55.0-25 | — | — |
| msrc | cbl2_cri-o_1.22.3-14 | — | — |
| msrc | cbl2_cri-o_1.22.3-15 | — | — |
| msrc | cbl2_cri-o_1.22.3-16 | — | — |
| msrc | cbl2_jx_3.2.236-21 | — | — |
| msrc | cbl2_jx_3.2.236-22 | — | — |
| msrc | cbl2_jx_3.2.236-23 | — | — |
| msrc | cbl2_kernel_5.15.176.3-3_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.180.1-1_on_cbl_mariner_2.0 | — | — |
| ulikunitz | xz | < 0.5.14 | 0.5.14 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
osv5.3MEDIUM
vendor_msrc5.5MEDIUM
vendor_debian5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz
osv·2025-09-17
CVE-2025-58058 Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz
Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz
Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz
OSV
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
osv·2025-08-28
CVE-2025-58058 [MEDIUM] github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
### Summary
It is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the [specification](https://github.com/jljusten/LZMA-SDK/blob/master/DOC/lzma-specification.txt).
Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.
### Mitigations
The release v0.5.15 includes following mitigations:
- The ReaderConfig
GHSA
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
ghsa·2025-08-28
CVE-2025-58058 [MEDIUM] CWE-770 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
### Summary
It is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the [specification](https://github.com/jljusten/LZMA-SDK/blob/master/DOC/lzma-specification.txt).
Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done.
### Mitigations
The release v0.5.15 includes following mitigations:
- The ReaderConfig
OSV
CVE-2025-58058: xz is a pure golang package for reading and writing xz-compressed files
osv·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058: xz is a pure golang package for reading and writing xz-compressed files
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Red Hat
github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory
vendor_redhat·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CWE-770 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory
github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
A memory leak flaw has been discovered in the golang github.
Microsoft
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
vendor_msrc·2025-08-12·CVSS 5.3
CVE-2025-58058 [MEDIUM] CWE-770 github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Marine
Microsoft
ubifs: skip dumping tnc tree when zroot is null
vendor_msrc·2025-03-11·CVSS 5.5
CVE-2024-58058 [MEDIUM] CWE-476 ubifs: skip dumping tnc tree when zroot is null
ubifs: skip dumping tnc tree when zroot is null
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microso
Debian
CVE-2025-58058: golang-github-ulikunitz-xz - xz is a pure golang package for reading and writing xz-compressed files. Prior t...
vendor_debian·2025·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058: golang-github-ulikunitz-xz - xz is a pure golang package for reading and writing xz-compressed files. Prior t...
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 0.5.15-1)
sid: resolved (fixed in 0.5.15-1)
trixie: ope
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-58058 dnsx: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 dnsx: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 dnsx: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from relea
Bugzilla
CVE-2025-58058 golang-github-projectdiscovery-chaos-client: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 golang-github-projectdiscovery-chaos-client: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 golang-github-projectdiscovery-chaos-client: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's pol
Bugzilla
CVE-2025-58058 osbuild-composer: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 osbuild-composer: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 osbuild-composer: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug report
Bugzilla
CVE-2025-58058 google-osconfig-agent: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 google-osconfig-agent: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 google-osconfig-agent: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug r
Bugzilla
CVE-2025-58058 kata-containers: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 kata-containers: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 kata-containers: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2025-58058 asnmap: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 asnmap: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 asnmap: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rel
Bugzilla
CVE-2025-58058 cri-o1.29: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.29: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.29: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2025-58058 cri-o1.31: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.31: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.31: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2025-58058 golang-github-facebookincubator-go2chef: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 golang-github-facebookincubator-go2chef: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 golang-github-facebookincubator-go2chef: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy
Bugzilla
CVE-2025-58058 cri-o1.32: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.32: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.32: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
govulcheck confirmed
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to
Bugzilla
CVE-2025-58058 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory
CVE-2025-58058 github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Bugzilla
CVE-2025-58058 cri-o1.30: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o1.30: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o1.30: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from
Bugzilla
CVE-2025-58058 cri-o: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 cri-o: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 cri-o: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from rele
Bugzilla
CVE-2025-58058 image-builder: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 image-builder: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 image-builder: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports f
Bugzilla
CVE-2025-58058 golang-github-ulikunitz-xz: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 golang-github-ulikunitz-xz: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 golang-github-ulikunitz-xz: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all
Bugzilla
CVE-2025-58058 source-to-image: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 source-to-image: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 source-to-image: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports
Bugzilla
CVE-2025-58058 transifex-client: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 transifex-client: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 transifex-client: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug report
Bugzilla
CVE-2025-58058 buildah: github.com/ulikunitz/xz leaks memory [fedora-42]
bugzilla·2025-08-28·CVSS 5.3
CVE-2025-58058 [MEDIUM] CVE-2025-58058 buildah: github.com/ulikunitz/xz leaks memory [fedora-42]
CVE-2025-58058 buildah: github.com/ulikunitz/xz leaks memory [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from re
2025-08-28
Published