CVE-2020-22916

MEDIUM

XZ 5.2.5 - DoS

Title source: llm

Description

An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of "endless output" and "denial of service" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.

Exploits (1)

nomisec WRITEUP

by greydoubt · poc

https://github.com/greydoubt/xz

View Code ZIP pw:eip

References (7)

[Product] https://tukaani.org/xz/

[Various Sources] http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2234987

[Broken Link] https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability

View Writeup ZIP pw:eip

[Issue Tracking] https://github.com/tukaani-project/xz/issues/61

[Third Party Advisory] https://security-tracker.debian.org/tracker/CVE-2020-22916

[Issue Tracking] https://bugzilla.suse.com/show_bug.cgi?id=1214590

Scores

CVSS v3 5.5

EPSS 0.0004

EPSS Percentile 12.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Details

Status published

Products (1)

tukaani/xz 5.2.5

Published Aug 22, 2023

Tracked Since Feb 18, 2026