Fluid Attacks Database

Description

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (decompress_into, decompress_into_with_dict, and others when safe-decode is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel10	rust	-	-
debian 14	rust-lz4-flex	=0.11.3-1 \|\| =0.11.3-2 \|\| >=0 <0.13.0-1	0.13.0-1
debian 13	rust-lz4-flex	=0.11.3-1 \|\| =0.11.3-2 \|\| =0.13.0-1	-
rpm rhel9	rust	-	-
cargo	lz4_flex	>=0 <0.11.6 \|\| >=0.12.0 <0.12.1	0.11.6, 0.12.1

Aliases

1. CVE-2026-328292. NVD-2026-328293. OSV-2026-328294. OSV-DEBIAN-2026-328295. GHSA-vvp9-7p8x-rfvv6. GCVE-2026-328297. SECURITY-TRACKER-CVE-2026-32829

References

1. https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv2. https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d3. https://rustsec.org/advisories/RUSTSEC-2026-0041.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.