Critical severityNVD Advisory· Published Dec 27, 2022· Updated Apr 11, 2025
Out-of-bounds write in github.com/cloudflare/golz4
CVE-2014-125026
Description
LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/cloudflare/golz4Go | < 0.0.0-20140711154735-199f5f787806 | 0.0.0-20140711154735-199f5f787806 |
Affected products
1- Range: 0
Patches
1199f5f787806Use LZ4_decompress_safe instead of LZ4_uncompress
1 file changed · +6 −7
lz4.go+6 −7 modified@@ -6,6 +6,7 @@ package lz4 import "C" import ( + "errors" "fmt" "unsafe" ) @@ -25,14 +26,12 @@ func clen(s []byte) C.int { // Uncompress with a known output size. len(out) should be equal to // the length of the uncompressed out. -func Uncompress(in, out []byte) (err error) { - read := int(C.LZ4_uncompress(p(in), p(out), clen(out))) - - if read != len(in) { - err = fmt.Errorf("uncompress read %d bytes should have read %d", - read, len(in)) +func Uncompress(in, out []byte) (error) { + if int(C.LZ4_decompress_safe(p(in), p(out), clen(in), clen(out))) < 0 { + return errors.New("Malformed compression stream") } - return + + return nil } // CompressBound calculates the size of the output buffer needed by
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.