CVE-2026-34743

UNKNOWN 0.0

XZ Utils: Buffer overflow in lzma_index_append()

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

CWE	CWE-122
Vendor	tukaani-project
Product	xz
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for tukaani-project xz

Be the first to know when new unknown vulnerabilities affecting tukaani-project xz are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

tukaani-project / xz

< 5.8.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/tukaani-project/xz/security/advisories/GHSA-x872-m794-cxhv github.com: https://github.com/tukaani-project/xz/commit/c8c22869e780ff57c96b46939c3d79ff99395f87 github.com: https://github.com/tukaani-project/xz/releases/tag/v5.8.3 openwall.com: http://www.openwall.com/lists/oss-security/2026/03/31/13