CVE-2026-34743 — Heap-based Buffer Overflow in Xz-utils

CWE-122 — Heap-based Buffer Overflow CWE-131 — Incorrect Calculation of Buffer Size8 documents7 sources

Severity

1.7LOWNVD

EPSS

0.1%

top 82.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tukaani-project XZ Debian Xz-utils Msrc Azl3 Rust 1.75.0-27 ON Azure Linux 3.0 +5 more

Timeline

PublishedApr 2

Latest updateApr 11

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages8 packages

▶debiandebian/xz-utils< xz-utils 5.8.3-1 (forky)

▶CVEListV5tukaani-project/xz< 5.8.3

▶msrcmsrc/azl3_xz_5.4.4-2_on_azure_linux_3.0

▶msrcmsrc/cbl2_xz_5.2.5-1_on_cbl_mariner_2.0

▶msrcmsrc/azl3_rust_1.90.0-6_on_azure_linux_3.0

🔴Vulnerability Details

VulDB

tukaani-project xz up to 5.8.2 Compression lzma_index_decoder heap-based overflow (GHSA-x872-m794-cxhv / Nessus ID 305980)↗2026-04-11

▶

OSV

CVE-2026-34743: XZ Utils provide a general-purpose data-compression library plus command-line tools↗2026-04-02

▶

OSV

CVE-2026-34743: [liblzma: Fix a buffer overflow in lzma_index_append()]↗2026-04-02

▶

📋Vendor Advisories

Red Hat

xz: XZ Utils: Denial of Service via buffer overflow in index decoding↗2026-04-02

▶

Microsoft

XZ Utils: Buffer overflow in lzma_index_append()↗2026-04-02

▶

Debian

CVE-2026-34743: xz-utils - XZ Utils provide a general-purpose data-compression library plus command-line to...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-34743 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶