CVE-2025-15570
Published: 10 February 2026
Summary
CVE-2025-15570 is a low-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Ckolivas Lrzip. Its CVSS base score is 1.9 (Low).
Operationally, ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and CM-7 (Least Functionality).
Deeper analysis
CVE-2025-15570 is a use-after-free vulnerability (CWE-416, CWE-119) in ckolivas lrzip versions up to 0.651, affecting the lzma_decompress_buf function in stream.c. The issue arises from improper memory handling during decompression, with a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). It was published on 2026-02-10.
Exploitation requires local access with low privileges, allowing an attacker to manipulate input to the affected function and trigger the use-after-free condition. Successful exploitation could result in limited disclosure of sensitive information, modification of data, or denial of service, though impacts are confined due to the lack of privilege escalation or scope change. A proof-of-concept exploit is publicly available.
No patches or official mitigations are available, as the project maintainers were notified early via GitHub issue #262 but have not responded. Security practitioners should monitor the lrzip repository for updates and consider avoiding untrusted inputs to lrzip decompression in local environments. The public PoC increases the risk of targeted local attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207358
Vulnerability details
A vulnerability was found in ckolivas lrzip up to 0.651. This impacts the function lzma_decompress_buf of the file stream.c. Performing a manipulation results in use after free. Attacking locally is a requirement. The exploit has been made public and could…
more
be used. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory protection mechanisms that block exploitation of the use-after-free condition in lzma_decompress_buf.
Requires validation of untrusted input before it reaches the vulnerable decompression routine in stream.c.
Restricts installation or execution of the vulnerable lrzip binary (or its lzma feature) to reduce attack surface until a fix is available.