Description
A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
References (7)
Core 7
Core References
Permissions Required, VDB Entry vdb-entry
technical-description
https://vuldb.com/?id.344926
Permissions Required, VDB Entry signature
permissions-required
https://vuldb.com/?ctiid.344926
Permissions Required, VDB Entry third-party-advisory
https://vuldb.com/?submit.752595
Issue Tracking issue-tracking
https://github.com/ckolivas/lrzip/issues/262
Various Sources exploit
https://github.com/user-attachments/files/21709004/PoC_UAF.zip
Scores
CVSS v3
5.3
EPSS
0.0020
EPSS Percentile
10.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-416
Status
published
Products (2)
ckolivas/lrzip
< 0.651
ckolivas/lrzip
0.651
Published
Feb 10, 2026
Tracked Since
Feb 18, 2026