USN-8362-1: XZ Utils vulnerability | Ubuntu security notices

Packages

xz-utils - XZ-format compression utilities

Details

It was discovered that XZ Utils did not properly manage memory when
attempting to append data to a decoded index that contained no records.
An attacker could possibly use this issue to cause XZ Utils to crash,
resulting in a denial of service, or execute arbitrary code.

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

Ubuntu Release	Package Version
25.10 questing	liblzma5 – 5.8.1-1ubuntu0.1
	xz-utils – 5.8.1-1ubuntu0.1
	xzdec – 5.8.1-1ubuntu0.1
24.04 LTS noble	liblzma5 – 5.6.1+really5.4.5-1ubuntu0.3
	xz-utils – 5.6.1+really5.4.5-1ubuntu0.3
	xzdec – 5.6.1+really5.4.5-1ubuntu0.3
22.04 LTS jammy	liblzma5 – 5.2.5-2ubuntu1.1
	xz-utils – 5.2.5-2ubuntu1.1
	xzdec – 5.2.5-2ubuntu1.1
20.04 LTS focal	liblzma5 – 5.2.4-1ubuntu1.1+esm1
	xz-utils – 5.2.4-1ubuntu1.1+esm1
	xzdec – 5.2.4-1ubuntu1.1+esm1
18.04 LTS bionic	liblzma5 – 5.2.2-1.3ubuntu0.1+esm1
18.04 LTS bionic	xz-utils – 5.2.2-1.3ubuntu0.1+esm1
16.04 LTS xenial	liblzma5 – 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2
	xz-utils – 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2
	xzdec – 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2
14.04 LTS trusty	liblzma5 – 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2
	xz-utils – 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2
	xzdec – 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

CVE-2026-34743

CVE-2026-34743