PatchSiren cyber security CVE debrief
CVE-2026-32829 PSeitz CVE debrief
CVE-2026-32829 is a vulnerability in lz4_flex, a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 'match copy operations,' allowing out-of-bounds reads from the output buffer. The block-based API functions (decompress_into, decompress_into_with_dict, and others when 'safe-decode' is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
- Vendor
- PSeitz
- Product
- lz4_flex
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-30
Who should care
Developers and users of lz4_flex, especially those using the block-based API functions, should be aware of this vulnerability. They should check their dependencies and update to versions 0.11.6 or 0.12.1 to mitigate the risk. Additionally, users of Red Hat products that incorporate lz4_flex may need to apply patches or updates provided by Red Hat.
Technical summary
The vulnerability in lz4_flex arises from improper validation of offset values during LZ4 'match copy operations.' This allows out-of-bounds reads from the output buffer when decompressing invalid LZ4 data. The affected functions include decompress_into, decompress_into_with_dict, and others when 'safe-decode' is disabled. The vulnerability has a CVSS score of 8.2 and is considered HIGH severity. It can lead to the exposure of sensitive data and secrets through crafted or malformed LZ4 input.
Defensive priority
High priority should be given to updating lz4_flex to versions 0.11.6 or 0.12.1. Developers should review their dependencies and apply patches or updates as necessary. Red Hat users should apply the relevant errata (RHSA-2026:11800, RHSA-2026:16354, RHSA-2026:19712, RHSA-2026:22862).
Recommended defensive actions
- Update lz4_flex to version 0.11.6 or 0.12.1
- Review and update dependencies that use lz4_flex
- Apply Red Hat errata (RHSA-2026:11800, RHSA-2026:16354, RHSA-2026:19712, RHSA-2026:22862) if applicable
- Monitor for and restrict malicious LZ4 input
- Implement compensating controls such as data encryption and access controls
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and its impact. The source item URL provides additional metadata and references. The references include patches, mitigations, and vendor advisories.
Official resources
-
CVE-2026-32829 CVE record
CVE.org
-
CVE-2026-32829 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.