CVE-2021-3520

CRITICAL9.8EPSS 0.14%

Memory corruption in liblz4

Published: 8/25/2022Modified: 4/28/2026

Description

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Affected packages (5)

Alpine/lz4from 0, < 1.9.2-r1
crates.io/lz4-sys>= 0.0.0-0, < 1.9.4
Debian/lz4from 0, < 1.9.3-2
Debian/lz4from 0, < 0.0~r131-2+deb9u1
Debian/lz4from 0, < 1.8.3-1+deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://rustsec.org/advisories/RUSTSEC-2022-0051.html
ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-3520
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3520
PATCHhttps://crates.io/crates/lz4-sys
WEBhttps://github.com/lz4/lz4/pull/972