CVE-2026-34743 LOW

CVE-2026-34743: XZ Utils: Buffer overflow in lzma_index_append()

Vendor Tukaani-Project
Product xz
Weakness CWE-122
Published April 2, 2026
Last update April 3, 2026

CVSS base score

1.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Key dates

02Disclosure timeline

April 2, 2026 CVE published
April 3, 2026 Record updated