Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-3520

CVE-2021-3520: Lz4_project Lz4 DOS Vulnerability

CVE-2021-3520 is a denial of service flaw in Lz4_project Lz4 caused by an integer overflow that triggers out-of-bounds writes. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2021-3520 Overview

CVE-2021-3520 is an integer overflow vulnerability in the LZ4 compression library. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Critical Impact

This vulnerability allows remote attackers to potentially execute arbitrary code or cause denial of service by exploiting an integer overflow in the widely-used LZ4 compression library, affecting numerous enterprise products including NetApp, Oracle, and Splunk solutions.

Affected Products

  • lz4_project lz4
  • netapp active_iq_unified_manager
  • netapp cloud_backup
  • netapp ontap_select_deploy_administration_utility
  • oracle communications_cloud_native_core_policy
  • oracle zfs_storage_appliance_kit
  • splunk universal_forwarder

Discovery Timeline

  • June 2, 2021 - CVE CVE-2021-3520 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2021-3520

Vulnerability Analysis

The vulnerability exists in the LZ4 compression library's handling of specially crafted input data. When processing malicious compressed data, the library fails to properly validate size parameters before passing them to memory operations. This allows an attacker to trigger an integer overflow condition that converts a large positive value into a negative number when interpreted as a signed integer.

The flaw is classified as CWE-190 (Integer Overflow or Wraparound), a vulnerability type that occurs when an arithmetic operation attempts to create a numeric value that is outside of the range that can be represented with a given number of digits. In this case, the overflow results in a negative value being passed to memmove(), which interprets this as an extremely large unsigned value, causing memory corruption.

Root Cause

The root cause of CVE-2021-3520 lies in insufficient integer validation within the LZ4 decompression routines. When processing compressed data, the library performs arithmetic operations on size values without checking for potential overflow conditions. Specifically, when calculating buffer sizes or offsets during decompression, the code fails to validate that the result remains within expected bounds before using these values in memory operations.

This type of vulnerability is common in compression libraries where performance optimizations may inadvertently omit boundary checks that would prevent integer wraparound conditions.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no privileges or user interaction to exploit. An attacker can exploit this vulnerability by:

  1. Crafting a malicious LZ4-compressed file with specially constructed size fields
  2. Delivering this file to any application that uses the vulnerable LZ4 library for decompression
  3. When the application processes the malicious data, the integer overflow triggers
  4. The subsequent memmove() call with a negative size argument causes out-of-bounds memory writes

The attack can be delivered through any input channel that processes LZ4-compressed data, including file uploads, network streams, or data at rest that gets decompressed by vulnerable applications. This makes the vulnerability particularly dangerous in environments using affected enterprise products for backup, storage, or monitoring operations.

Detection Methods for CVE-2021-3520

Indicators of Compromise

  • Unexpected crashes in applications using LZ4 compression library with error logs indicating memory access violations
  • Abnormal memory consumption patterns in processes performing LZ4 decompression operations
  • Core dumps or crash reports showing memmove() operations with unusual size parameters
  • Suspicious compressed files with anomalous header values or size fields

Detection Strategies

  • Implement file integrity monitoring for LZ4 library files to detect unauthorized modifications or outdated vulnerable versions
  • Deploy memory protection mechanisms such as ASLR and stack canaries to detect and prevent exploitation attempts
  • Monitor application logs for segmentation faults or memory corruption errors during decompression operations
  • Utilize SentinelOne's behavioral AI to detect anomalous process behavior indicative of memory corruption exploitation

Monitoring Recommendations

  • Enable comprehensive logging for applications that process LZ4-compressed data
  • Configure alerting for application crashes involving memory-related exceptions in decompression workflows
  • Track LZ4 library versions across your infrastructure using software composition analysis tools
  • Monitor for unusual network traffic patterns delivering potentially malicious compressed data

How to Mitigate CVE-2021-3520

Immediate Actions Required

  • Inventory all systems and applications using the LZ4 compression library to identify vulnerable deployments
  • Prioritize patching of internet-facing systems and applications that process untrusted compressed data
  • Review and update all affected enterprise products including NetApp, Oracle, and Splunk solutions to patched versions
  • Implement input validation for compressed data before processing where possible

Patch Information

Patches are available from the respective vendors for affected products. Consult the following resources for patch information:

Update the LZ4 library to the latest patched version available from your operating system vendor or the upstream LZ4 project.

Workarounds

  • Restrict processing of LZ4-compressed data from untrusted sources until patches can be applied
  • Implement network segmentation to limit exposure of vulnerable applications to untrusted input
  • Deploy application sandboxing to contain potential exploitation attempts
  • Consider disabling LZ4 compression in affected applications temporarily if alternate compression methods are available
bash
# Check for vulnerable LZ4 library versions
rpm -qa | grep lz4
dpkg -l | grep lz4

# Verify LZ4 library version on system
lz4 --version

# Update LZ4 package on RHEL/CentOS
sudo yum update lz4

# Update LZ4 package on Debian/Ubuntu
sudo apt-get update && sudo apt-get upgrade liblz4-1

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne