Severity: Unknown
Affected Package: xz
Summary: heap buffer overflow in liblzma lzma_index_append() via an empty Index
XZ Utils provide a general-purpose data-compression library (liblzma) plus command-line tools. If lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where a subsequent lzma_index_append() would allocate too little memory, causing a heap-based buffer overflow (CWE-122). Affects xz/liblzma before 5.8.3.
No specific recommendations provided.
Aliases: CVE-2026-34743
Published: June 11, 2026
Last Modified: June 11, 2026