{"id":"USN-7414-1","summary":"xz-utils vulnerability","details":"Harri K. Koskinen discovered that XZ Utils incorrectly handled the threaded\nxz decoder. If a user or automated system were tricked into processing an\nxz file, a remote attacker could use this issue to cause XZ Utils to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n","modified":"2026-04-22T11:34:52.214666Z","published":"2025-04-03T17:36:53Z","related":["UBUNTU-CVE-2025-31115"],"upstream":["CVE-2025-31115","UBUNTU-CVE-2025-31115"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7414-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-31115"}],"affected":[{"package":{"name":"xz-utils","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/xz-utils@5.6.1+really5.4.5-1ubuntu0.2?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.6.1+really5.4.5-1ubuntu0.2"}]}],"versions":["5.4.1-0.2","5.4.4-0.1","5.4.5-0.1","5.4.5-0.3","5.6.0-0.2","5.6.1+really5.4.5-1","5.6.1+really5.4.5-1build0.1"],"ecosystem_specific":{"binaries":[{"binary_name":"liblzma5","binary_version":"5.6.1+really5.4.5-1ubuntu0.2"},{"binary_name":"xz-utils","binary_version":"5.6.1+really5.4.5-1ubuntu0.2"},{"binary_name":"xzdec","binary_version":"5.6.1+really5.4.5-1ubuntu0.2"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2025-31115","severity":[{"score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","type":"CVSS_V4"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7414-1.json"}}],"schema_version":"1.7.5"}