{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34743", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T19:17:10.224Z", "datePublished": "2026-04-02T18:36:37.450Z", "dateUpdated": "2026-04-03T12:59:06.096Z"}, "containers": {"cna": {"title": "XZ Utils: Buffer overflow in lzma_index_append()", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "lang": "en", "description": "CWE-122: Heap-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 1.7, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv"}, {"name": "https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87", "tags": ["x_refsource_MISC"], "url": "https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87"}, {"name": "https://github.com/tukaani-project/xz/releases/tag/v5.8.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/tukaani-project/xz/releases/tag/v5.8.3"}], "affected": [{"vendor": "tukaani-project", "product": "xz", "versions": [{"version": "< 5.8.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:36:37.450Z"}, "descriptions": [{"lang": "en", "value": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3."}], "source": {"advisory": "GHSA-x872-m794-cxhv", "discovery": "UNKNOWN"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/31/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-02T19:24:10.537Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T12:58:58.398176Z", "id": "CVE-2026-34743", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:59:06.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/03/31/13"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-02T19:24:10.537Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34743", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T12:58:58.398176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T12:59:01.999Z"}}], "cna": {"title": "XZ Utils: Buffer overflow in lzma_index_append()", "source": {"advisory": "GHSA-x872-m794-cxhv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 1.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "tukaani-project", "product": "xz", "versions": [{"status": "affected", "version": "< 5.8.3"}]}], "references": [{"url": "https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv", "name": "https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87", "name": "https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/tukaani-project/xz/releases/tag/v5.8.3", "name": "https://github.com/tukaani-project/xz/releases/tag/v5.8.3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122: Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T18:36:37.450Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34743", "state": "PUBLISHED", "dateUpdated": "2026-04-03T12:59:06.096Z", "dateReserved": "2026-03-30T19:17:10.224Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T18:36:37.450Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3."}], "id": "CVE-2026-34743", "lastModified": "2026-04-03T16:10:23.730", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T19:21:33.187", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87"}, {"source": "security-advisories@github.com", "url": "https://github.com/tukaani-project/xz/releases/tag/v5.8.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/03/31/13"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "xz: XZ Utils: Denial of Service via buffer overflow in index decoding", "id": "2454589", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454589"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-131", "details": ["XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.", "A flaw was found in XZ Utils. When the `lzma_index_decoder()` function processes an empty index, and a subsequent `lzma_index_append()` operation is performed, insufficient memory is allocated. This can lead to a buffer overflow, potentially causing a denial of service (DoS) for affected systems."], "name": "CVE-2026-34743", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "xz", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Fix deferred", "package_name": "xz", "product_name": "Red Hat Hardened Images 1"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-04-02T18:36:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-34743\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34743\nhttps://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87\nhttps://github.com/tukaani-project/xz/releases/tag/v5.8.3\nhttps://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.8.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xz", "source": "cna", "vendor": "tukaani-project"}, "product": "xz", "vendor": "tukaani-project"}], "analysis": {"en": {"generated_at": "2026-04-02T22:51:15.008337+00:00", "value": {"mitigation_remediation": ["Update XZ Utils to version 5.8.3 or later.", "If an immediate upgrade is not possible, ensure that untrusted index files are not processed by lzma_index_decoder or lzma_index_append.", "Continuously monitor vendor advisories and security mailing lists for future patches or related vulnerabilities."], "summary": {"action": "Apply Patch", "impact": "Memory corruption"}, "threat_synthesis": {"affected_systems": "This issue affects the XZ Utils package from the tukaani\u2011project, specifically any installation running a version older than 5.8.3. The fix was applied in the 5.8.3 release.", "description_and_impact": "The XZ Utils library implements a general-purpose data-compression engine. Prior to version 5.8.3, if the function lzma_index_decoder decoded an Index that contained no Records, the resulting lzma_index object remained in an incomplete state. When a subsequent lzma_index_append call was made, the code allocated insufficient memory for the index, causing a buffer overflow. This memory corruption can lead to program crashes, data corruption, or, if an attacker controls the crafted index file, potential arbitrary code execution. Based on the description, the overflow could be leveraged by an attacker to control program flow.", "risk_and_exploitability": "The CVSS score of 1.7 indicates low severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The likely attack vector is local and requires an application or user to process a crafted index file. The overflow occurs during the append operation, so the threat is limited to processes that invoke lzma_index_append on user-controlled data. Based on the description, it is inferred that the vulnerability could be used for code execution if the attacker controls the index."}}}}, "created": "2026-04-03T07:31:42.932767+00:00", "updated": "2026-04-03T09:16:39.815019+00:00", "vendors": ["tukaani-project", "tukaani-project$PRODUCT$xz"]}