XZ Utils is a widely used suite of tools and libraries that provide data compression functionality. Known for its efficient compression, XZ Utils is often preferred for creating smaller files than gzip. The native file format is .xz, but it also supports the legacy .lzma format.
However, a newly discovered vulnerability, CVE-2025-31115, impacts XZ Utils versions 5.3.3alpha to 5.8.0, introducing a serious heap use-after-free bug in its multithreaded decoder, capable of causing crashes or memory corruption in systems that rely on it.
Rated CVSSv4 8.7, this vulnerability poses a significant risk for applications and systems using the lzma_stream_decoder_mt function in liblzma.
Specifically, the vulnerability lies in how the decoder handles invalid input. According to advisory, “invalid input can at least result in a crash.” The consequences of this flaw are severe, including “heap use after free and writing to an address based on the null pointer plus an offset.” This means that attackers could potentially exploit this vulnerability to corrupt memory, leading to unpredictable program behavior or even the ability to execute arbitrary code.
The vulnerability affects applications and libraries that utilize the lzma_stream_decoder_mt function.
Fortunately, a fix for this vulnerability is available. XZ Utils version 5.8.1 addresses the bug. The fix has also been applied to the v5.4, v5.6, v5.8, and master branches of the xz Git repository. While no new release packages will be provided for the older stable branches, a “standalone patch” is available for all affected releases.
For those unable to apply the patch immediately, a workaround exists. The single-threaded .xz decoder (lzma_stream_decoder) is not affected by this vulnerability. Therefore, using the commands xz –decompress –threads=1 and xzdec can mitigate the risk, as these commands utilize the single-threaded decoder.
XZ Utils was also involved in a significant supply chain security issue. In March 2024, Red Hat issued a warning about a backdoor discovered in the latest XZ Utils data compression tools and libraries. This issue is tracked as CVE-2024-3094 and was assigned a critical severity score of 10/10. Red Hat even advised users to immediately stop using systems running Fedora development and experimental versions and reverted to 5.4.x versions of XZ in Fedora 40 beta.
The malicious code was found to be obfuscated and present in the complete download package but not in the Git distribution. The backdoor was injected during the build time through a malicious M4 macro.
