CVE-2026-34743: XZ Utils: Buffer overflow in lzma_index_append()
Published Apr 2, 2026
·Updated
Last updated 2 June 2026
Other sources
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder() was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend() would allocate too little memory, and a buffer overflow would occur. This issue has been patched in version 5.8.3.
— MITRE
XZ Utils: Buffer overflow in lzmaindexappend()
— Microsoft
Affected Software
8 affected componentsFixes available
Microsoft azl3 xz 5.4.4-2
Microsoft cbl2 xz 5.2.5-1
Microsoft cbl2 rust 1.72.0-15
Microsoft azl3 xz 5.4.4-3
Microsoft azl3 rust 1.90.0-6
Microsoft azl3 rust 1.75.0-27
Tukaani XZ<5.8.3
debian/xz-utils<=5.2.5-2.1~deb11u1, <=5.4.1-1, <=5.8.1-1
5.8.3-1
Remediation
Patch Available
Event History
Apr 2, 2026
CVE Published
via MITRE·06:36 PM
Data Sourced
via MITRE·06:36 PM
DescriptionWeakness
Data Sourced
via NVD·07:21 PM
RemedyDescriptionSeverityWeaknessAffected Software
Apr 4, 2026
Data Sourced
via Microsoft·08:02 AM
DescriptionSeverityWeaknessAffected Software
Updated
via Microsoft·08:02 AM
Affected Software
Updated
via Microsoft·08:02 AM
DescriptionSeverity
Jun 2, 2026
Data Sourced
via Ubuntu·12:37 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Debian·12:38 PM
DescriptionAffected Software
Data Sourced
via Launchpad·12:38 PM
Description