PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32829 PSeitz CVE debrief

CVE-2026-32829 is a vulnerability in lz4_flex, a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 'match copy operations,' allowing out-of-bounds reads from the output buffer. The block-based API functions (decompress_into, decompress_into_with_dict, and others when 'safe-decode' is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

Vendor
PSeitz
Product
lz4_flex
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-20
Original CVE updated
2026-06-30
Advisory published
2026-03-20
Advisory updated
2026-06-30

Who should care

Developers and users of lz4_flex, especially those using the block-based API functions, should be aware of this vulnerability. They should check their dependencies and update to versions 0.11.6 or 0.12.1 to mitigate the risk. Additionally, users of Red Hat products that incorporate lz4_flex may need to apply patches or updates provided by Red Hat.

Technical summary

The vulnerability in lz4_flex arises from improper validation of offset values during LZ4 'match copy operations.' This allows out-of-bounds reads from the output buffer when decompressing invalid LZ4 data. The affected functions include decompress_into, decompress_into_with_dict, and others when 'safe-decode' is disabled. The vulnerability has a CVSS score of 8.2 and is considered HIGH severity. It can lead to the exposure of sensitive data and secrets through crafted or malformed LZ4 input.

Defensive priority

High priority should be given to updating lz4_flex to versions 0.11.6 or 0.12.1. Developers should review their dependencies and apply patches or updates as necessary. Red Hat users should apply the relevant errata (RHSA-2026:11800, RHSA-2026:16354, RHSA-2026:19712, RHSA-2026:22862).

Recommended defensive actions

  • Update lz4_flex to version 0.11.6 or 0.12.1
  • Review and update dependencies that use lz4_flex
  • Apply Red Hat errata (RHSA-2026:11800, RHSA-2026:16354, RHSA-2026:19712, RHSA-2026:22862) if applicable
  • Monitor for and restrict malicious LZ4 input
  • Implement compensating controls such as data encryption and access controls

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its impact. The source item URL provides additional metadata and references. The references include patches, mitigations, and vendor advisories.

Official resources

This article is AI-assisted and based on the supplied source corpus.