GHSA-VVP9-7P8X-RFVV: Information Leak via Out-of-Bounds Read in lz4_flex
Vulnerability ID: GHSA-VVP9-7P8X-RFVV
CVSS Score: 7.5
Published: 2026-03-16
The lz4_flex Rust crate prior to version 0.11.4 contains an information leak vulnerability due to improper validation of LZ4 match offsets. An attacker can craft a malicious LZ4 payload that forces the decompressor to read from uninitialized memory or previously freed buffers, leading to sensitive data exposure.
TL;DR
Unvalidated LZ4 match offsets in lz4_flex < 0.11.4 allow attackers to leak uninitialized memory or reused buffer contents via crafted compressed payloads.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-125, CWE-200
- Attack Vector: Network
- CVSS: 7.5
- Exploit Status: Proof-of-Concept (Fuzzer)
- Impact: High Confidentiality
- KEV Status: Unlisted
Affected Systems
- lz4_flex Rust crate
-
lz4_flex: < 0.11.4 (Fixed in:
0.11.4)
Code Analysis
Commit: 055502e
Fix information leak in block decompression by validating match offsets.
Mitigation Strategies
- Update lz4_flex dependency
- Zero-initialize output buffers
Remediation Steps:
- Modify Cargo.toml to require lz4_flex version 0.11.4 or higher.
- Recompile the application to statically link the patched dependency.
- If immediate patching is impossible, ensure output buffers provided to the decompression API are strictly zero-initialized prior to execution.
References
- GitHub Advisory GHSA-VVP9-7P8X-RFVV
- Fix Commit 055502ee5d297ecd6bf448ac91c055c7f6df9b6d
- lz4_flex Repository
Read the full report for GHSA-VVP9-7P8X-RFVV on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)