CVE-2025-31115

Description

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

Weakness Type (CWE)

CWE-366 CWE-366

CWE-416 Use After Free

CWE-476 CWE-476

CWE-826 CWE-826

References

Other References

https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2 https://tukaani.org/xz/xz-cve-2025-31115.patch http://www.openwall.com/lists/oss-security/2025/04/03/1 http://www.openwall.com/lists/oss-security/2025/04/03/2 http://www.openwall.com/lists/oss-security/2025/04/03/3 https://cert-portal.siemens.com/productcert/html/ssa-082556.html

Frequently Asked Questions

What is CVE-2025-31115? +

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

How do I check if I'm vulnerable to CVE-2025-31115? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-58143 9.8

[This CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] There are multiple …

CVE-2024-10630 7.8

A race condition in Ivanti Application Control Engine before version 10.14.4.0 allows a local authenticated attacker to bypass the application …

CVE-2024-6778 7.5

Race in DevTools in Google Chrome prior to 126.0.6478.182 allowed an attacker who convinced a user to install a malicious …

CVE-2024-2032 3.1

A race condition vulnerability exists in zenml-io/zenml versions up to and including 0.55.3, which allows for the creation of multiple …