USN-7414-1

Harri K. Koskinen discovered that XZ Utils incorrectly handled the threaded xz decoder. If a user or automated system were tricked into processing an xz file, a remote attacker could use this issue to cause XZ Utils to crash, resulting in a denial of service, or possibly execute arbitrary code.

References

Affected packages

Ubuntu:24.04:LTS / xz-utils

Package

Name: xz-utils
Purl: pkg:deb/ubuntu/xz-utils@5.6.1+really5.4.5-1ubuntu0.2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.6.1+really5.4.5-1ubuntu0.2

Affected versions

5.*

5.4.1-0.2

5.4.4-0.1

5.4.5-0.1

5.4.5-0.3

5.6.0-0.2

5.6.1+really5.4.5-1

5.6.1+really5.4.5-1build0.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "5.6.1+really5.4.5-1ubuntu0.2",
            "binary_name": "liblzma-dev"
        },
        {
            "binary_version": "5.6.1+really5.4.5-1ubuntu0.2",
            "binary_name": "liblzma5"
        },
        {
            "binary_version": "5.6.1+really5.4.5-1ubuntu0.2",
            "binary_name": "xz-utils"
        },
        {
            "binary_version": "5.6.1+really5.4.5-1ubuntu0.2",
            "binary_name": "xzdec"
        }
    ]
}

Database specific

cves_map

{
    "cves": [
        {
            "id": "CVE-2025-31115",
            "severity": [
                {
                    "type": "CVSS_V4",
                    "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ],
    "ecosystem": "Ubuntu:24.04:LTS"
}