THREAT OPS › Threat News › [NVD] CVE-2026-32829 (HIGH 7.5) — lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly val
[NVD] CVE-2026-32829 (HIGH 7.5) — lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly val
CVE-2026-32829 CVSS: 7.5 HIGH Published: 2026-03-20T01:15:56.277
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations,
MITRE ATT&CK techniques
- CompressionT1027.015
Indicators of compromise
- CVE-2026-32829cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-32829