CVE-2025-15570 Overview
A use after free vulnerability has been discovered in ckolivas lrzip, a compression utility, affecting versions up to 0.651. The vulnerability exists in the lzma_decompress_buf function within the stream.c file. When exploited, this memory corruption flaw can allow an attacker with local access to potentially corrupt memory, leading to application crashes or unexpected behavior.
Critical Impact
Local attackers can exploit this use after free vulnerability in lrzip's LZMA decompression functionality to cause memory corruption, potentially leading to denial of service or code execution.
Affected Products
- lrzip versions up to 0.651
- Systems utilizing lrzip for file compression/decompression operations
Discovery Timeline
- 2026-02-10 - CVE-2025-15570 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-15570
Vulnerability Analysis
This vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), manifesting specifically as a use after free condition. The flaw occurs during LZMA decompression operations in lrzip when the lzma_decompress_buf function in stream.c improperly handles memory that has already been freed.
Use after free vulnerabilities occur when a program continues to reference memory after it has been returned to the allocator. In this case, the decompression routine appears to maintain pointers to buffer memory that may be deallocated during certain decompression paths, creating a dangling pointer scenario. When this memory is subsequently accessed, it may contain arbitrary data, leading to undefined behavior.
The vulnerability requires local access to exploit, meaning an attacker would need to provide a maliciously crafted compressed file to a system running the vulnerable lrzip version. A proof of concept has been publicly disclosed, increasing the risk of exploitation attempts.
Root Cause
The root cause lies in improper memory lifecycle management within the lzma_decompress_buf function. The function fails to properly track buffer allocation states during decompression operations, resulting in references to memory regions that have already been freed. This creates a use after free condition when the code attempts to operate on the invalidated memory reference.
Attack Vector
The attack requires local access to the target system. An attacker would need to:
- Craft a malicious compressed file designed to trigger the use after free condition during decompression
- Convince a user or automated process to decompress the malicious file using lrzip
- Exploit the resulting memory corruption to achieve their objective
The vulnerability has been publicly documented through GitHub Issue #262, and a proof of concept file demonstrating the vulnerability is available. The project maintainers were informed of the issue but have not yet responded.
Detection Methods for CVE-2025-15570
Indicators of Compromise
- Unexpected crashes or segmentation faults when running lrzip decompression operations
- Memory corruption errors or heap corruption warnings in system logs
- Abnormal memory access patterns detected by runtime sanitizers
- Presence of unusually structured or malformed .lrz compressed files
Detection Strategies
- Deploy memory safety tools such as AddressSanitizer (ASan) when running lrzip in testing environments to detect use after free conditions
- Monitor for lrzip process crashes or abnormal terminations on systems processing untrusted compressed files
- Implement file integrity monitoring for any .lrz files arriving from external sources
- Use SentinelOne's behavioral AI to detect anomalous memory access patterns indicative of exploitation attempts
Monitoring Recommendations
- Enable core dump analysis for lrzip processes to identify exploitation attempts
- Implement application crash monitoring for systems that regularly use lrzip for decompression tasks
- Monitor file system activity for suspicious .lrz files, particularly those from untrusted sources
- Review system logs for memory-related errors associated with lrzip operations
How to Mitigate CVE-2025-15570
Immediate Actions Required
- Assess systems to determine if lrzip version 0.651 or earlier is installed
- Avoid decompressing files from untrusted or unknown sources using vulnerable lrzip versions
- Consider temporarily disabling or removing lrzip until a patch becomes available
- Implement network segmentation to limit the potential impact of local exploitation
- Monitor the lrzip GitHub repository for security updates
Patch Information
As of the last update, no official patch has been released by the project maintainers. The vulnerability was reported through GitHub Issue #262, but the project has not yet responded to the disclosure. Users should monitor the official repository for updates and apply patches as soon as they become available.
Workarounds
- Use alternative compression tools such as xz, gzip, or bzip2 for decompression tasks until a fix is available
- Implement strict file validation and sandboxing when processing compressed files from untrusted sources
- Run lrzip in a containerized or isolated environment to limit the impact of potential exploitation
- Apply operating system-level memory protections such as ASLR and stack canaries to reduce exploitability
# Check installed lrzip version
lrzip -V
# Alternative: Use xz for LZMA decompression as a temporary workaround
xz -d filename.xz
# Run lrzip in a sandboxed environment using firejail
firejail --private lrzip -d untrusted_file.lrz
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
