MNBSD-2026-20: heap buffer overflow in liblzma lzma_index_append() via an empty Index

Severity: Unknown

Affected Package: xz

Summary: heap buffer overflow in liblzma lzma_index_append() via an empty Index

Description

XZ Utils provide a general-purpose data-compression library (liblzma) plus command-line tools. If lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where a subsequent lzma_index_append() would allocate too little memory, causing a heap-based buffer overflow (CWE-122). Affects xz/liblzma before 5.8.3.

Affected Versions

xz

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-34743

Published: June 11, 2026
Last Modified: June 11, 2026