CVE-2026-32829
Published: 20 March 2026
Summary
CVE-2026-32829 is a high-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Pseitz Lz4 Flex. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires organizations to identify, report, prioritize, and remediate flaws like the out-of-bounds read in lz4_flex, directly enabling upgrades to fixed versions 0.11.6 or 0.12.1.
Employs safeguards to protect system memory from unauthorized disclosure, directly countering leaks of sensitive information from uninitialized memory or prior operations via out-of-bounds reads.
Mandates validation of information inputs such as malformed LZ4 data to prevent invalid offset values in match copy operations from triggering out-of-bounds reads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing apps using the LZ4 library for crafted input (T1190) directly enables unauthorized collection of sensitive data/secrets from process memory via out-of-bounds read (T1005).
NVD Description
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values…
more
during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
Deeper analysisAI
CVE-2026-32829 affects lz4_flex, a pure Rust implementation of the LZ4 compression and decompression library. The vulnerability exists in versions 0.11.5 and prior, as well as version 0.12.0, where decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or previous decompression operations. This occurs due to improper validation of offset values during LZ4 match copy operations, enabling out-of-bounds reads from the output buffer. Only block-based API functions such as decompress_into and decompress_into_with_dict are impacted when safe-decode is disabled; all frame-based APIs remain unaffected.
Attackers can exploit this vulnerability remotely with low complexity, requiring no privileges or user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Any unauthenticated party able to supply crafted or malformed LZ4 input to the affected block-based APIs can trigger the out-of-bounds reads, potentially exposing confidential data or secrets present in the output buffer, such as memory contents from prior operations.
Mitigation is available through upgrading to fixed versions 0.11.6 or 0.12.1, where the offset validation issue has been addressed, as detailed in the project's GitHub commit (https://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d), security advisory (https://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv), and RustSec advisory (https://rustsec.org/advisories/RUSTSEC-2026-0041.html). The flaw is classified under CWE-201 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-823 (Use of Out-of-bounds Read).
Details
- CWE(s)