CVE-2025-58058
MEDIUMulikunitz/xz < 0.5.14 - Denial of Service via Malformed LZMA Header
Title source: llmDescription
xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
Patch x_refsource_misc
https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2
Scores
CVSS v3
5.3
EPSS
0.0039
EPSS Percentile
30.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
ulikunitz/xz
0 - 0.5.15Go
ulikunitz/xz
< 0.5.14
Published
Aug 28, 2025
Tracked Since
Feb 18, 2026