heise PlusAbo
Anzeige

XZ-Utils: Vulnerability probably enables code smuggling

There is a gaping security hole in the widespread XZ utils that could potentially be misused to inject malicious code.

listen Print view
A ZIP file opens and releases malware on the computer

(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)

2 min. read
Security
By

A security vulnerability has been discovered in the XZ compression library. This can probably be misused to inject malicious code. Updated source code is available and must now make it into updated software.

The vulnerability is covered in a security notice on Github. "Invalid input data can at least lead to a crash," the authors explain. "The effects include using the heap after a free operation and writing to an address based on the null pointer plus an offset," they continue. Apps and libraries that use the lzma_stream_decoder_mt function are affected(CVE-2025-31115, CVSS 8.7, risk"high").

XZ: vulnerable multithreaded decoder

The single-thread decoder lzma_stream_decoder does not have the security-relevant error. It is used, for example, when calling xz --decompress --threads=1 or "xzdec", which, however, is rarely used in this way. The XZ tools are used in the background in many places and in many projects – hence the high risk rating.

Videos by heise

The bug is corrected by the XZ utils in version 5.8.1 and newer. The developers have also (back-)ported the patches for the older development branches 5.4, 5.6, 5.8 and the "master" branch of the xz-Git repository. There are no new release packages for the old "stable" branches, but the security announcement also links to a standalone patch for these.

The XZ utils are already updating several Linux distributions. However, as they are also used in various other software packages, such as SSH, various apps and services have to perform and distribute updates. Of course, this also affects various programs that run under macOS and Windows.

Read also

The XZ library, which had previously gone largely unnoticed, came to rather dubious fame last spring when suspected Asian criminals attempted to build a backdoor into the code. They took advantage of the fact that the maintainer was under severe psychological strain and ended up pushing for the malicious code to be included in mainstream Linux distributions. An attentive developer discovered the infiltrated software because a failed SSH log-in took around 500 milliseconds longer than on other systems with an older version of liblzma.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten