CVE-2026-34743

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34743
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34743.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-34743
Aliases
  • GHSA-x872-m794-cxhv
Downstream
Related
Published
2026-04-02T18:36:37.450Z
Modified
2026-05-21T03:53:53.679911908Z
Severity
  • 1.7 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
XZ Utils: Buffer overflow in lzma_index_append()
Details

XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder() was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindex_append() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.

Database specific 
{
    "cwe_ids": [
        "CWE-122"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34743.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tukaani-project/xz

Affected ranges

Type
GIT
Repo
https://github.com/tukaani-project/xz
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4b73f2ec19a99ef465282fbce633e8deb33691b3

Affected versions

v4.*
v4.42.2alpha
v4.999.3alpha
v4.999.5alpha
v4.999.7beta
v4.999.8beta
v4.999.9beta
v5.*
v5.0.0
v5.1.0alpha
v5.1.1alpha
v5.1.2alpha
v5.1.3alpha
v5.1.4beta
v5.2.0
v5.2.1
v5.3.1alpha
v5.3.2alpha
v5.3.3alpha
v5.3.4alpha
v5.3.5beta
v5.4.0
v5.5.0alpha
v5.5.1alpha
v5.5.2beta
v5.7.0alpha
v5.7.1alpha
v5.7.2beta
v5.8.0
v5.8.1
v5.8.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34743.json"