{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32829", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.698Z", "datePublished": "2026-03-20T00:49:12.893Z", "dateUpdated": "2026-03-20T00:49:12.893Z"}, "containers": {"cna": {"title": "lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-823", "lang": "en", "description": "CWE-823: Use of Out-of-range Pointer Offset", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv"}, {"name": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d", "tags": ["x_refsource_MISC"], "url": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d"}, {"name": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html", "tags": ["x_refsource_MISC"], "url": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html"}], "affected": [{"vendor": "PSeitz", "product": "lz4_flex", "versions": [{"version": "< 0.11.6", "status": "affected"}, {"version": ">= 0.12.0, < 0.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:49:12.893Z"}, "descriptions": [{"lang": "en", "value": "lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 \"match copy operations,\" allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1."}], "source": {"advisory": "GHSA-vvp9-7p8x-rfvv", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 \"match copy operations,\" allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1."}], "id": "CVE-2026-32829", "lastModified": "2026-03-20T13:37:50.737", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T01:15:56.277", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d"}, {"source": "security-advisories@github.com", "url": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv"}, {"source": "security-advisories@github.com", "url": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-823"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "lz4_flex: lz4_flex's decompression can leak information from uninitialized memory or reused output buffer", "id": "2448271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448271"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-823", "details": ["No description is available for this CVE."], "name": "CVE-2026-32829", "package_state": [{"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llm-d-inference-scheduler-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-model-registry-job-async-upload-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-16T20:48:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32829\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32829\nhttps://github.com/PSeitz/lz4_flex\nhttps://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d\nhttps://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "lz4_flex", "vendor": "pseitz"}], "analysis": {"en": {"generated_at": "2026-03-20T02:20:46.426330+00:00", "value": {"mitigation_remediation": ["Upgrade the lz4_flex library to version 0.11.6 or later (or 0.12.1 or later).", "If upgrading is not possible, avoid using the block\u2011based API functions and use the frame API instead, which is unaffected."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the PSeitz:lz4_flex library. Attacks target applications that link against lz4_flex versions 0.11.5 or earlier and 0.12.0. The issue has been fixed in releases 0.11.6 and later, and 0.12.1 and later. All frame\u2011based API functions remain safe.", "description_and_impact": "lz4_flex, a pure Rust implementation of the LZ4 compression algorithm, has a flaw in versions 0.11.5 and earlier, and 0.12.0, where decompressing malformed LZ4 data can trigger out\u2011of\u2011bounds reads during match copy operations. The vulnerability allows an attacker to read uninitialized memory or data from previous decompression operations, potentially exposing sensitive information or secrets. This is classified as an information exposure weakness (CWE\u2011201) and an out\u2011of\u2011bounds read (CWE\u2011823).", "risk_and_exploitability": "The vulnerability scores a CVSS 8.2 (High) and has no EPSS score reported, indicating no public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an application to decompress attacker\u2011controlled LZ4 data using the affected block\u2011based API. If an application receives such data from a network or user, an attacker could read uninitialized memory on the host, leading to data leakage. The attack vector is therefore likely exploitation of untrusted input by the application, with no evidence of remote code execution."}}}}, "created": "2026-03-19T08:57:13.199229+00:00", "updated": "2026-03-20T10:43:34.351486+00:00", "vendors": ["pseitz", "pseitz$PRODUCT$lz4_flex"]}