Cyber Resilience

CVE-2026-32829

HighUpdated

Published: 20 March 2026

Published
20 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32829 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Pseitz Lz4 Flex. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32829 affects lz4_flex, a pure Rust implementation of the LZ4 compression and decompression library. The vulnerability exists in versions 0.11.5 and prior, as well as version 0.12.0, where decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or previous decompression operations. This occurs due to improper validation of offset values during LZ4 match copy operations, enabling out-of-bounds reads from the output buffer. Only block-based API functions such as decompress_into and decompress_into_with_dict are impacted when safe-decode is disabled; all frame-based APIs remain unaffected.

Attackers can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Any unauthenticated party able to supply crafted or malformed LZ4 input to the affected block-based APIs can trigger the out-of-bounds reads, potentially exposing confidential data or secrets present in the output buffer, such as memory contents from prior operations.

Mitigation is available through upgrading to fixed versions 0.11.6 or 0.12.1, where the offset validation issue has been addressed, as detailed in the project's GitHub commit (https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d), security advisory (https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv), and RustSec advisory (https://rustsec.org/advisories/RUSTSEC-2026-0041.html). The flaw is classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-823 (Use of Out-of-bounds Read).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values…

more

during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Remote unauthenticated exploitation of public-facing apps using the LZ4 library for crafted input (T1190) directly enables unauthorized collection of sensitive data/secrets from process memory via out-of-bounds read (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-23774Shared CWE-201
CVE-2024-56300Shared CWE-201
CVE-2024-13254Shared CWE-201
CVE-2026-27406Shared CWE-201
CVE-2023-38013Shared CWE-201
CVE-2025-22303Shared CWE-201
CVE-2025-24582Shared CWE-201
CVE-2024-13259Shared CWE-201
CVE-2025-68035Shared CWE-201
CVE-2025-67931Shared CWE-201

Affected Assets

pseitz
lz4 flex
0.12.0 · ≤ 0.11.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires organizations to identify, report, prioritize, and remediate flaws like the out-of-bounds read in lz4_flex, directly enabling upgrades to fixed versions 0.11.6 or 0.12.1.

prevent

Employs safeguards to protect system memory from unauthorized disclosure, directly countering leaks of sensitive information from uninitialized memory or prior operations via out-of-bounds reads.

prevent

Mandates validation of information inputs such as malformed LZ4 data to prevent invalid offset values in match copy operations from triggering out-of-bounds reads.

References