VYPR
High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 21, 2026

lz4_flex: Decompression can leak information from uninitialized memory or reused output buffer

CVE-2026-32829

Description

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (decompress_into, decompress_into_with_dict, and others when safe-decode is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lz4_flexcrates.io
< 0.11.60.11.6
lz4_flexcrates.io
>= 0.12.0, < 0.12.10.12.1

Affected products

15

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.