PT-2025-35145 · Xz+3 · Xz+3

Gregorybuligin

·

Published

2025-08-28

·

Updated

2026-02-10

·

CVE-2025-58058

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions xz versions prior to 0.5.14
Description The xz package contains a flaw where data can be prepended to an LZMA-encoded byte stream without detection during header reading. This can lead to excessive memory consumption due to the allocation of a full decoding buffer. The LZMA header lacks a magic number or checksum to identify this issue as per the specification. While the code eventually detects the problem during stream reading, memory has already been allocated at that point. This issue affects software utilizing lzma.NewReader or lzma.ReaderConfig.NewReader.
Recommendations Update to xz version 0.5.14 or later to address this issue.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Weakness Enumeration

CWE-770

Related Identifiers

AZL-66713
AZL-66716
AZL-66720
AZL-66723
AZL-66725
AZL-66728
AZL-66731
AZL-66735
AZL-66741
AZL-66744
AZL-66747
AZL-66750
AZL-66753
AZL-66759
AZL-66762
BDU:2025-12797
CVE-2025-58058
ECHO-F551-FD1B-F6F6
GHSA-JC7W-C686-C4V9
GO-2025-3922
OPENSUSE-SU-2025:15503-1
OPENSUSE-SU-2025:15508-1
OPENSUSE-SU-2025:15509-1
OPENSUSE-SU-2025:15515-1
OPENSUSE-SU-2025:15537-1
OPENSUSE-SU-2025:15542-1
OPENSUSE-SU-2025:15564-1
OPENSUSE-SU-2025:15631-1
OPENSUSE-SU-2025:15722-1
OPENSUSE-SU-2025:20031-1
OPENSUSE-SU-2025:20073-1
OPENSUSE-SU-2025:20117-1
OPENSUSE-SU-2025:20160-1
OPENSUSE-SU-2026:20105-1
OPENSUSE-SU-2026:20192-1
OPENSUSE-SU-2026:20798-1
SUSE-SU-2025:03289-1
SUSE-SU-2025:03448-1
SUSE-SU-2025:21137-1
SUSE-SU-2025:4121-1
SUSE-SU-2025_03448-1
SUSE-SU-2026:0383-1

Affected Products

Debian
Red Os
Suse
Xz