Data Compression Library Vulnerability in XZ Utils
CVE-2025-31115

8.7HIGH

Key Information:

Vendor

Tukaani-project

Status
Xz
Vendor
CVE Published:
3 April 2025

Badges

📈 Score: 1,530📰 News Worthy

What is CVE-2025-31115?

CVE-2025-31115 is a vulnerability in the XZ Utils, a widely used data-compression library and command-line tool developed by the Tukaani project. This vulnerability specifically affects versions 5.3.3alpha to 5.8.0, where a flaw in the multithreaded .xz decoder can lead to critical issues, including application crashes. The access of invalid input can cause heap usage after free and may allow writes to addresses determined by a null pointer, which could severely disrupt the functionality of any applications or libraries utilizing the affected lzma_stream_decoder_mt function. Given the prevalence of XZ Utils in various software solutions, this vulnerability poses significant risks to organizations that rely on this library for data compression.

Technical Details

The vulnerability arises from a bug in the multithreaded decoder implemented in liblzma, which is part of the XZ Utils library. The issue is rooted in the handling of invalid input, leading to potential memory-related issues like heap use-after-free conditions. When exploited, this flaw can cause applications to crash and may allow arbitrary writes to memory, paving the way for further exploitation. The responsible developers have already released a fix in version 5.8.1 and a standalone patch that can be applied to all impacted versions.

Potential Impact of CVE-2025-31115

  1. System Crashes: The most immediate impact is the potential for applications to crash, disrupting business operations and potentially resulting in temporary service outages.

  2. Security Risks: The memory vulnerabilities associated with this flaw can be exploited by attackers to execute arbitrary code, which could lead to unauthorized access, data breaches, and the compromise of sensitive information.

  3. Widespread Vulnerability: As XZ Utils is integrated into various applications and libraries, the flaw may have a broad exposure, heightening the risk of multiple systems being affected, thereby amplifying the potential for large-scale exploitation.

Affected Version(s)

xz >= 5.3.3alpha, < 5.8.1

News Articles

favicon imageUbuntu

CVE-2025-31115 | Ubuntu

Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

favicon imageThe Tukaani Project

CVE-2025-31115: Threaded .xz decoder frees memory too early

In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash (CVE-2025-31115). The effects include heap use after free and writing to...

References

https://github.com/tukaani-project/xz/security/advisories...
x_refsource_CONFIRM
https://github.com/tukaani-project/xz/commit/d5a2ffe41bb7...
x_refsource_MISC
https://tukaani.org/xz/xz-cve-2025-31115.patch
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 📰

    First article discovered by The Tukaani Project

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-31115 : Data Compression Library Vulnerability in XZ Utils