CVE-2025-15571 Overview
A null pointer dereference vulnerability has been identified in ckolivas lrzip up to version 0.651. This vulnerability affects the ucompthread function within the stream.c file. When exploited, this flaw can lead to a denial of service condition by causing the application to crash. The vulnerability requires local access to exploit and has been publicly disclosed through a proof-of-concept, though the project maintainers have not yet responded to the reported issue.
Critical Impact
Local attackers with low privileges can cause application crashes through null pointer dereference in the compression thread handling, potentially disrupting file operations and data processing workflows.
Affected Products
- ckolivas lrzip versions up to 0.651
- Systems using lrzip for file compression/decompression operations
- Linux distributions packaging vulnerable lrzip versions
Discovery Timeline
- 2026-02-10 - CVE-2025-15571 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-15571
Vulnerability Analysis
The vulnerability resides in the ucompthread function located in stream.c within the lrzip codebase. This function handles threaded decompression operations, and under specific conditions, it fails to properly validate pointer references before dereferencing them. When a null pointer is encountered and dereferenced, the application crashes, resulting in a denial of service condition.
The local attack vector means that an attacker must have access to the system where lrzip is running. The exploit requires low privileges to execute, with no user interaction needed. While the vulnerability does not compromise confidentiality or integrity, it directly impacts availability by crashing the lrzip process.
The issue was reported to the project through GitHub lrzip Issue #263, but the maintainers have not yet acknowledged or addressed the vulnerability.
Root Cause
The root cause is classified under CWE-404 (Improper Resource Shutdown or Release), though the specific manifestation is a null pointer dereference. The ucompthread function does not perform adequate null checks on pointer variables before attempting to access the memory they reference. This can occur when processing malformed or specially crafted compressed files that trigger unexpected code paths in the decompression threading logic.
Attack Vector
The attack vector is local, requiring an attacker to have access to the target system. Exploitation involves supplying a specially crafted input file to lrzip that triggers the null pointer condition in the ucompthread function. When lrzip attempts to process this malicious file, the null pointer dereference causes an immediate crash.
The vulnerability mechanism can be understood as follows: when processing compressed data streams, the ucompthread function manages decompression threads. If the input file is crafted to create a state where expected memory structures are not properly initialized, the function may attempt to access memory through a null pointer, causing the program to crash.
A proof-of-concept has been made available through the GitHub PoC Archive, demonstrating how the vulnerability can be triggered.
Detection Methods for CVE-2025-15571
Indicators of Compromise
- Unexpected lrzip process crashes or core dumps on systems processing compressed files
- Segmentation fault errors in system logs associated with lrzip operations
- Presence of unusually structured or malformed .lrz files in input directories
Detection Strategies
- Monitor system logs for segmentation fault signals (SIGSEGV) associated with lrzip processes
- Implement file integrity monitoring on directories where compressed files are processed
- Deploy application crash monitoring to detect repeated lrzip failures
Monitoring Recommendations
- Configure system logging to capture and alert on application crashes related to lrzip
- Review input file sources for any suspicious or untrusted compressed archives
- Monitor for unusual patterns of file processing failures in automated compression workflows
How to Mitigate CVE-2025-15571
Immediate Actions Required
- Evaluate the use of lrzip in production environments and consider temporary alternatives such as gzip, bzip2, or xz for compression needs
- Restrict execution of lrzip to trusted users and validated input files only
- Implement input validation for any automated workflows that process compressed files with lrzip
Patch Information
As of the last update, no official patch has been released by the project maintainers. The vulnerability was reported through GitHub lrzip Issue #263, but the project has not responded. Users should monitor the GitHub lrzip Project for updates and patches.
Additional vulnerability tracking information is available at VulDB #344931.
Workarounds
- Avoid processing untrusted or unknown compressed files with lrzip until a patch is available
- Run lrzip operations in sandboxed or containerized environments to limit crash impact
- Implement wrapper scripts that validate input file structures before passing them to lrzip
- Consider switching to alternative compression utilities that do not have this vulnerability
# Example: Use alternative compression while awaiting patch
# Instead of lrzip, use xz for similar compression ratios
xz -k -9 input_file.tar
# Restrict lrzip execution to specific trusted users
chmod 750 /usr/bin/lrzip
chown root:trusted-compression-users /usr/bin/lrzip
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
