{"id":"HSEC-2025-0003","summary":"Use after free in multithreaded lzma (.xz) decoder","details":"# Use after free in multithreaded lzma (.xz) decoder\n\nIn XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in\nliblzma has a bug where invalid input can at least result in a crash\n(CVE-2025-31115). The effects include heap use after free and\nwriting to an address based on the null pointer plus an offset.\nApplications and libraries that use the `lzma_stream_decoder_mt`\nfunction are affected.\n\nThe Haskell *xz-clib* library vendors and builds the C\nimplementation.  The *xz* package does not use the multithreaded\ndecoder and is therefore unaffected.\n","aliases":["CVE-2025-31115","GHSA-6cc8-p5mm-29w2"],"modified":"2025-11-17T05:59:51.195748Z","published":"2025-11-14T14:45:34Z","database_specific":{"repository":"https://github.com/haskell/security-advisories","home":"https://github.com/haskell/security-advisories","osvs":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export"},"references":[{"type":"ARTICLE","url":"https://tukaani.org/xz/threaded-decoder-early-free.html"},{"type":"FIX","url":"https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480"},{"type":"FIX","url":"https://github.com/hasufell/lzma-static/commit/e95fe96530568addfc83b771900025053e2c6951"}],"affected":[{"package":{"name":"xz-clib","ecosystem":"Hackage","purl":"pkg:hackage/xz-clib"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"5.6.3"},{"fixed":"5.8.1"}]}],"versions":["5.6.3","5.6.4","5.8.0","5.8.0.1"],"database_specific":{"human_link":"https://github.com/haskell/security-advisories/tree/main/advisories/published/2025/HSEC-2025-0003.md","source":"https://github.com/haskell/security-advisories/blob/generated/osv-export/2025/HSEC-2025-0003.json","osv":"https://raw.githubusercontent.com/haskell/security-advisories/refs/heads/generated/osv-export/2025/HSEC-2025-0003.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}],"schema_version":"1.7.3"}