CVE-2025-58058Allocation of Resources Without Limits or Throttling in XZ

CWE-770Allocation of Resources Without Limits or ThrottlingCWE-476NULL Pointer Dereference10 documents7 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 80.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ulikunitz XZGithub.com Ulikunitz XZ
Timeline
PublishedAug 28
Latest updateSep 17

Description

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5ulikunitz/xz< 0.5.14

🔴Vulnerability Details

5
OSV
Memory leaks when decoding a corrupted multiple LZMA archives in github.com/ulikunitz/xz2025-09-17
OSV
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives2025-08-28
GHSA
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives2025-08-28
CVEList
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives2025-08-28
OSV
CVE-2025-58058: xz is a pure golang package for reading and writing xz-compressed files2025-08-28

📋Vendor Advisories

4
Red Hat
github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory2025-08-28
Microsoft
github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives2025-08-12
Microsoft
ubifs: skip dumping tnc tree when zroot is null2025-03-11
Debian
CVE-2025-58058: golang-github-ulikunitz-xz - xz is a pure golang package for reading and writing xz-compressed files. Prior t...2025
CVE-2025-58058 — Ulikunitz XZ vulnerability | cvebase