CVE-2025-31115 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Denial of service
Description	In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2861	lib32-xz	5.8.0-1	5.8.1-1	Medium	Fixed
AVG-2860	xz	5.8.0-1	5.8.1-1	Medium	Fixed

References
https://tukaani.org/xz/threaded-decoder-early-free.html https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2 https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480 https://tukaani.org/xz/xz-cve-2025-31115.patch

References

https://tukaani.org/xz/threaded-decoder-early-free.html
https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
https://tukaani.org/xz/xz-cve-2025-31115.patch