Vulnerability Description
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tukaani | Xz | < 5.8.3 |
Related Weaknesses (CWE)
References
- https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff993Patch
- https://github.com/tukaani-project/xz/releases/tag/v5.8.3ProductRelease Notes
- https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhvVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/03/31/13Mailing ListPatchThird Party Advisory
FAQ
What is CVE-2026-34743?
CVE-2026-34743 is a vulnerability with a CVSS score of 5.3 (MEDIUM). XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resultin...
How severe is CVE-2026-34743?
CVE-2026-34743 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-34743?
Check the references section above for vendor advisories and patch information. Affected products include: Tukaani Xz.