CVE-2025-58058

MEDIUM EPSS 30.3%

Published Aug 28, 202510mo ago · Modified Jun 17, 20261w ago

5.3 CVSS 3.1

Medium

Published Aug 28, 2025 10mo ago

Last Modified Jun 17, 2026 1w ago

Description

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

CVSS Details

Base Score

5.3

Exploitability

3.9

Impact

1.4

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability Low

Threat Intelligence

EPSS Exploit Probability

30.3% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-770

References 2

github.com https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2
github.com https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.