CVE-2026-34743
Publication date 2 April 2026
Last updated 2 June 2026
Ubuntu priority
Description
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzma_index_decoder() was used to decode an Index that contained no Records, the resulting lzma_index was left in a state where where a subsequent lzma_index_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
Read the notes from the security team
Why is this CVE low priority?
Issue not likely to affect any real-world applications
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| xz-utils | 26.04 LTS resolute |
Not affected
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Vulnerable
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Vulnerable
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty |
Vulnerable
|
Notes
mdeslaur
Per xz-utils developers: "The lzma_index functions are rarely used by applications directly. In the few applications that do use these functions, the combination of function calls required to trigger this bug are unlikely to exist, because there typically is no reason to append Records to a decoded lzma_index. Thus, it’s likely that this bug cannot be triggered in any real-world application." Marking this as low priority
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.3 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-8362-1
- XZ Utils vulnerability
- 2 June 2026