CVE-2020-22916

MEDIUM

XZ 5.2.5 - Denial of Service

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-22916. PoCs published by greydoubt.

AI-analyzed exploit summary This repository contains test files and scripts for the xz library, including coverage testing and file generation tools. The README explicitly labels CVE-2020-22916 as a 'bogus CVE,' indicating no functional exploit code is present.

Description

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.

Exploits (1)

nomisec WRITEUP
by greydoubt · poc
https://github.com/greydoubt/xz

This repository contains test files and scripts for the xz library, including coverage testing and file generation tools. The README explicitly labels CVE-2020-22916 as a 'bogus CVE,' indicating no functional exploit code is present.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: xz library
No auth needed
Prerequisites: xz library source code · lcov and genhtml for coverage testing
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (7)

Core 7

Scores

CVSS v3 5.5
EPSS 0.0024
EPSS Percentile 14.8%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (1)
tukaani/xz 5.2.5
Published Aug 22, 2023
Tracked Since Feb 18, 2026