Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.2

LZ4 Flex Decompression Can Leak Sensitive Data

GHSA-vvp9-7p8x-rfvv RUSTSEC-2026-0041 CVE-2026-32829
Summary

A bug in the LZ4 Flex decompression library can leak sensitive information, such as passwords or other confidential data, from memory or from previous decompression operations. This can happen when decompressing invalid data or reusing an output buffer. To fix this issue, update to LZ4 Flex version 0.12.1 or 0.11.6.

What to do
  • Update lz4_flex to version 0.11.6.
  • Update lz4_flex to version 0.12.1.
Affected software
VendorProductAffected versionsFix available
lz4_flex <= 0.11.6 0.11.6
lz4_flex > 0.12.0 , <= 0.12.1 0.12.1
Original title
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized ...
Original description
lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.
ghsa CVSS4.0 8.2
Vulnerability type
CWE-201
CWE-823
Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 16 Mar 2026