CVE-2014-125026 — Out-of-bounds write in github.com/cloudflare/golz4

Description

LZ4 bindings use a deprecated C API that is vulnerable to memory corruption, which could lead to arbitrary code execution if called with untrusted user input.

How to fix CVE-2014-125026

To remediate CVE-2014-125026, upgrade the affected package to a fixed version below.

Go/github.com/cloudflare/golz4—upgrade to 0.0.0-20140711154735-199f5f787806 or later
—upgrade to 0.0.0-20140711154735-199f5f787806 or later

Is CVE-2014-125026 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 0.0.0-20140711154735-199f5f787806
from 0, < 0.0.0-20140711154735-199f5f787806

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-125026
PATCHgithub.com/cloudflare/golz4
WEBgithub.com/cloudflare/golz4/commit/199f5f7878062ca17a98e079f2dbe1205e2ed898
WEBgithub.com/cloudflare/golz4/issues/5
WEB