CVE-2026-32829 — lz4_flex is a pure Rust implementation of LZ4...
CVE-2026-32829 漏洞深度分析
漏洞概述
CVE 编号: CVE-2026-32829
CVSS 评分: 8.2(HIGH)
CVSS 向量: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE 分类: CWE-201,CWE-823,CWE-823
漏洞状态: Modified
发布时间: 2026-03-20T01:15:56.277
最后更新: 2026-07-14T12:16:58.127
漏洞描述
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (decompress_into, decompress_into_with_dict, and others when safe-decode is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
影响分析
此漏洞的具体影响取决于实际利用场景。"
修复建议
- 及时关注厂商发布的安全更新和补丁
- 升级受影响组件到最新版本
- 如无法立即升级,参考厂商提供的临时缓解措施
- 加强网络访问控制和监控
参考链接
- https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d
- https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv
- https://rustsec.org/advisories/RUSTSEC-2026-0041.html
- https://access.redhat.com/errata/RHSA-2026:11800
- https://access.redhat.com/errata/RHSA-2026:16354