CVE-2025-31115

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions XZ Utils versions 5.3.3alpha through 5.8.0

Description The multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma stream decoder mt function are affected.

Recommendations To resolve the issue, update to XZ Utils version 5.8.1 or later. A standalone patch is also available for all affected releases. As a temporary workaround, consider disabling the lzma stream decoder mt function until a patch is available. Restrict access to the vulnerable liblzma library to minimize the risk of exploitation. Avoid using the lzma stream decoder mt function in affected API endpoints until the issue is resolved.

Exploit

Fix

RCE

DoS

NULL Pointer Dereference

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-366CWE-826CWE-476CWE-416

Related Identifiers

ALSA-2025:7524

ALT-PU-2025-12940

AZL-59497

BDU:2025-03866

CVE-2025-31115

DSA-5895-1

ECHO-06A1-9520-94DF

FREEBSD-SA-25_06

GHSA-6CC8-P5MM-29W2

HSEC-2025-0003

MGASA-2025-0131

OESA-2025-1430

OESA-2025-1431

OPENSUSE-SU-2025:14984-1

OPENSUSE-SU-2025_1137-1

RHSA-2025:7524

SUSE-SU-2025:1137-1

SUSE-SU-2025:20553-1

SUSE-SU-2025:20590-1

SUSE-SU-2025_1137-1

USN-7414-1

Affected Products

Alt Linux

Astra Linux

Debian

Freebsd

Linuxmint

Suse

Ubuntu

Xz Utils

Liblzma

CVE-2025-31115

Weakness Enumeration

Related Identifiers

Affected Products

References · 79