vulnerability

Arch Linux: Denial of service (CVE-2025-31115)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Apr 3, 2025	Jul 11, 2025	Dec 17, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Apr 3, 2025

Added

Jul 11, 2025

Modified

Dec 17, 2025

Description

In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository.

Solution

arch-linux-upgrade-latest

References

CVE-2025-31115
https://attackerkb.com/topics/CVE-2025-31115
URL-https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
URL-https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
URL-https://tukaani.org/xz/threaded-decoder-early-free.html
URL-https://tukaani.org/xz/xz-cve-2025-31115.patch
CWE-366
CWE-416
CWE-476
CWE-826

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today