CVE-2026-42250 bzip2 CVE debrief

Who should care

System administrators maintaining bzip2 installations, security teams monitoring compression utility attack surfaces, and organizations running automated file processing pipelines that invoke bzip2recover on potentially untrusted inputs

Technical summary

The bzip2recover utility in bzip2 contains an off-by-one error that triggers an out-of-bounds write to a global buffer when processing specially crafted files. This results in memory corruption and application crash (denial of service). The vulnerability is classified as CWE-787 (Out-of-bounds Write) with a CVSS 4.0 score of 5.1 (Medium). Attack requires local access with low complexity, no privileges, and no user interaction. Availability impact is low; confidentiality and integrity impacts are none. The fix was committed as 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67.

Defensive priority

medium

Recommended defensive actions

• Apply bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 or upgrade to a fixed release when available
• Audit systems for bzip2recover usage in automated processing pipelines
• Restrict execution of bzip2recover on untrusted input files
• Monitor for anomalous bzip2recover process crashes as potential exploitation indicators

Evidence notes

CVE published 2026-05-28T14:16:19.890Z; modified 2026-05-28T18:16:32.577Z. Fix commit 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 confirmed via sourceware.org reference. CVSS 4.0 vector: AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L. CWE-787 (Out-of-bounds Write) identified. Vendor attribution to Sourceware based on reference domain evidence with low confidence; review recommended.

Official resources