Описание
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
Отчет
According to upstream, this flaw cannot be exploited under normal, documented use of the LZ4 library API. Additionally, the flaw is present only in the LZ4 library itself, and the application binaries shipped with this package are not affected. Red Hat OpenStack Platform 10 includes an older version of LZ4 that contains the flawed code. However, OpenStack has been using RHEL's updated LZ4 version since RHEL 7.5, so Red Hat is not issuing an update for the OpenStack LZ4 package. This CVE is rated as moderate because Red Hat products do not use the vulnerable version of lz4 in current OpenStack offerings.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | lz4 | Will not fix | ||
| Red Hat OpenStack Platform 10 (Newton) | lz4 | Will not fix | ||
| Red Hat Enterprise Linux 8 | lz4 | Fixed | RHSA-2025:11035 | 15.07.2025 |
Показывать по
Дополнительная информация
Статус:
8.1 High
CVSS3
Связанные уязвимости
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."
LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...
8.1 High
CVSS3