CVE-2026-32829

Name of the Vulnerable Software and Affected Versions lz4 flex versions 0.11.5 and below and 0.12.0

Description lz4 flex, a Rust implementation of LZ4 compression/decompression, contains a flaw where decompressing invalid LZ4 data can lead to information disclosure. Specifically, the library does not properly validate offset values during LZ4 "match copy operations," potentially causing out-of-bounds reads from the output buffer. This can result in the leakage of sensitive data from uninitialized memory or from previous decompression operations when reusing an output buffer. The block-based API functions (decompress into, decompress into with dict, and others when safe-decode is disabled) are affected, while frame APIs are not. The issue stems from improper validation of offset values during decompression, allowing the copying of data from outside the initialized portion of the output buffer. This can occur in two scenarios: when using the unsafe implementation (safe-decode feature flag disabled) and when decompressing into a reused output buffer.

Recommendations lz4 flex versions prior to 0.11.6 are affected. lz4 flex version 0.12.0 is affected. Upgrade to lz4 flex version 0.11.6 or 0.12.1 to resolve the issue. If upgrading is not possible, zero the output buffer before calling lz4 flex::block::decompress into or lz4 flex::block::decompress into with dict. Enable the safe-decode feature flag as a mitigation.