{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32829", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T17:35:36.698Z", "datePublished": "2026-03-20T00:49:12.893Z", "dateUpdated": "2026-03-21T03:03:09.928Z"}, "containers": {"cna": {"title": "lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer", "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "lang": "en", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-823", "lang": "en", "description": "CWE-823: Use of Out-of-range Pointer Offset", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv"}, {"name": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d", "tags": ["x_refsource_MISC"], "url": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d"}, {"name": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html", "tags": ["x_refsource_MISC"], "url": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html"}], "affected": [{"vendor": "PSeitz", "product": "lz4_flex", "versions": [{"version": "< 0.11.6", "status": "affected"}, {"version": ">= 0.12.0, < 0.12.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:49:12.893Z"}, "descriptions": [{"lang": "en", "value": "lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 \"match copy operations,\" allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1."}], "source": {"advisory": "GHSA-vvp9-7p8x-rfvv", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-21T03:02:22.812939Z", "id": "CVE-2026-32829", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:03:09.928Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32829", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-21T03:02:22.812939Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-21T03:03:04.108Z"}}], "cna": {"title": "lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer", "source": {"advisory": "GHSA-vvp9-7p8x-rfvv", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "PSeitz", "product": "lz4_flex", "versions": [{"status": "affected", "version": "< 0.11.6"}, {"status": "affected", "version": ">= 0.12.0, < 0.12.1"}]}], "references": [{"url": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv", "name": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d", "name": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d", "tags": ["x_refsource_MISC"]}, {"url": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html", "name": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 \"match copy operations,\" allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "CWE-201: Insertion of Sensitive Information Into Sent Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-823", "description": "CWE-823: Use of Out-of-range Pointer Offset"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T00:49:12.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32829", "state": "PUBLISHED", "dateUpdated": "2026-03-21T03:03:09.928Z", "dateReserved": "2026-03-16T17:35:36.698Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T00:49:12.893Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pseitz:lz4_flex:*:*:*:*:*:rust:*:*", "matchCriteriaId": "B9F4365E-174A-4CBB-9F03-34AEA5444DF8", "versionEndExcluding": "0.11.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:pseitz:lz4_flex:0.12.0:*:*:*:*:rust:*:*", "matchCriteriaId": "2A2078FA-C55A-49B1-933D-6D7B33BB5902", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 \"match copy operations,\" allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1."}, {"lang": "es", "value": "lz4_flex es una implementaci\u00f3n pura en Rust de compresi\u00f3n/descompresi\u00f3n LZ4. En las versiones 0.11.5 e inferiores, y 0.12.0, la descompresi\u00f3n de datos LZ4 no v\u00e1lidos puede filtrar informaci\u00f3n sensible de memoria no inicializada o de operaciones de descompresi\u00f3n anteriores. La biblioteca no valida correctamente los valores de desplazamiento durante las 'operaciones de copia de coincidencia' de LZ4, permitiendo lecturas fuera de l\u00edmites del b\u00fafer de salida. Las funciones API basadas en bloques ('decompress_into', 'decompress_into_with_dict', y otras cuando 'safe-decode' est\u00e1 deshabilitado) se ven afectadas, mientras que todas las API de trama no se ven afectadas. El impacto es la exposici\u00f3n potencial de datos sensibles y secretos a trav\u00e9s de entradas LZ4 manipuladas o malformadas. Este problema ha sido solucionado en las versiones 0.11.6 y 0.12.1."}], "id": "CVE-2026-32829", "lastModified": "2026-03-30T15:05:23.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T01:15:56.277", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://rustsec.org/advisories/RUSTSEC-2026-0041.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-823"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "lz4_flex: lz4_flex's decompression can leak information from uninitialized memory or reused output buffer", "id": "2448271", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448271"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-823", "details": ["No description is available for this CVE."], "name": "CVE-2026-32829", "package_state": [{"cpe": "cpe:/a:redhat:logging:6", "fix_state": "Affected", "package_name": "openshift-logging/vector-rhel9", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:openshift_lightspeed", "fix_state": "Affected", "package_name": "openshift-lightspeed/lightspeed-service-api-rhel9", "product_name": "OpenShift Lightspeed"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-llm-d-inference-scheduler-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Affected", "package_name": "rhoai/odh-model-registry-job-async-upload-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-16T20:48:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32829\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32829\nhttps://github.com/PSeitz/lz4_flex\nhttps://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d\nhttps://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "product": "lz4_flex", "vendor": "pseitz"}], "analysis": {"en": {"generated_at": "2026-03-20T02:20:46.426330+00:00", "value": {"mitigation_remediation": ["Upgrade the lz4_flex library to version 0.11.6 or later (or 0.12.1 or later).", "If upgrading is not possible, avoid using the block\u2011based API functions and use the frame API instead, which is unaffected."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is the PSeitz:lz4_flex library. Attacks target applications that link against lz4_flex versions 0.11.5 or earlier and 0.12.0. The issue has been fixed in releases 0.11.6 and later, and 0.12.1 and later. All frame\u2011based API functions remain safe.", "description_and_impact": "lz4_flex, a pure Rust implementation of the LZ4 compression algorithm, has a flaw in versions 0.11.5 and earlier, and 0.12.0, where decompressing malformed LZ4 data can trigger out\u2011of\u2011bounds reads during match copy operations. The vulnerability allows an attacker to read uninitialized memory or data from previous decompression operations, potentially exposing sensitive information or secrets. This is classified as an information exposure weakness (CWE\u2011201) and an out\u2011of\u2011bounds read (CWE\u2011823).", "risk_and_exploitability": "The vulnerability scores a CVSS 8.2 (High) and has no EPSS score reported, indicating no public exploitation data. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an application to decompress attacker\u2011controlled LZ4 data using the affected block\u2011based API. If an application receives such data from a network or user, an attacker could read uninitialized memory on the host, leading to data leakage. The attack vector is therefore likely exploitation of untrusted input by the application, with no evidence of remote code execution."}}}}, "created": "2026-03-19T08:57:13.199229+00:00", "updated": "2026-03-20T10:43:34.351486+00:00", "vendors": ["pseitz", "pseitz$PRODUCT$lz4_flex"]}