VYPR
← All advisories
Medium severityNVD Advisory· Published May 28, 2026· Updated May 28, 2026

CVE-2026-42250

CVE-2026-42250

Description

bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service).

This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

bzip2recover in bzip2 before 1.0.9 has an off-by-one error leading to out-of-bounds write and denial of service via crafted file.

Vulnerability

bzip2 contains an off-by-one error in the bzip2recover utility, classified as CWE-787 Out-of-bounds Write [2]. When processing a specially crafted file, the application performs an out-of-bounds write to a global buffer, resulting in memory corruption. All versions of bzip2 before 1.0.9 are affected [2].

Exploitation

An attacker must provide a crafted bzip2 file to a user who then runs bzip2recover on it. No special privileges or network access are required beyond the ability to deliver the malicious file. The off-by-one error triggers an out-of-bounds write, causing the utility to crash [2].

Impact

Successful exploitation results in a denial of service (crash) of the bzip2recover utility. No code execution or data corruption beyond the crash has been reported [2].

Mitigation

The vulnerability is fixed in bzip2 version 1.0.9, corresponding to commit 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67 [2]. Users should upgrade to bzip2 1.0.9 or later. No workarounds are available [2].

References
  1. Vulnerability in bzip2 software

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.