Vulnerability in Pseitz Lz4_flex

CVE-2026-32829

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression oper…

EPSS: 0.000 (3.4th percentile) — read the EPSS interpretation.

Affected products

Pseitz Lz4_flex — versions < 0.11.6, >= 0.12.0, < 0.12.1

Weakness classification (CWE)

References

https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv (x_refsource_CONFIRM)
https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d (x_refsource_MISC)
https://rustsec.org/advisories/RUSTSEC-2026-0041.html (x_refsource_MISC)