Vulnerability Description
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pseitz | Lz4 Flex | < 0.11.6 |
Related Weaknesses (CWE)
References
- https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9bPatch
- https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvvMitigationVendor Advisory
- https://rustsec.org/advisories/RUSTSEC-2026-0041.htmlThird Party Advisory
FAQ
What is CVE-2026-32829?
CVE-2026-32829 is a vulnerability with a CVSS score of 7.5 (HIGH). lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized mem...
How severe is CVE-2026-32829?
CVE-2026-32829 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32829?
Check the references section above for vendor advisories and patch information. Affected products include: Pseitz Lz4 Flex.