CVE-2025-58058 - Vulnerability Details

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2
https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
https://nvd.nist.gov/vuln/detail/CVE-2025-58058
https://www.cve.org/CVERecord?id=CVE-2025-58058

History

Fri, 29 Aug 2025 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-58058 https://www.cve.org/CVERecord?id=CVE-2025-58058
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 28 Aug 2025 22:00:00 +0000

Type	Values Removed	Values Added
Description		xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
Title		github.com/ulikunitz/xz leaks memory when decoding a corrupted multiple LZMA archives
Weaknesses		CWE-770
References		https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2 https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-08-28T21:54:05.561Z

Updated: 2025-08-29T13:23:07.497Z

Reserved: 2025-08-22T14:30:32.221Z

Link: CVE-2025-58058

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2025-08-28T22:15:32.577

Modified: 2025-08-29T16:24:29.730

Link: CVE-2025-58058

Redhat

Severity : Moderate

Publid Date: 2025-08-28T21:54:05Z

Links: CVE-2025-58058 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object