CVE-2025-31115: XZ Utils

• 03 April 2025

On the 25th of March I reported to Lasse Collin, the lead maintainer of XZ Utils, a bug I had stumbled upon while I was experimenting with file compressors. I had created a huge pile of files compressed using different tools and I had corrupted them using various methods.

One of the files happened to cause a segmentation fault in xz. It turned out that a mismatch of a single byte in a large .xz block could trigger a "Use After Free" error. UAF happens when a program uses memory it has previously freed.

If you want to know more about the bug, and its fix, read the post by Lasse Collin.

• ← Previous
  Yay. A new site. Wonderful.