CVE-2026-32829 Overview
CVE-2026-32829 is an Out-of-Bounds Read vulnerability in lz4_flex, a pure Rust implementation of LZ4 compression/decompression. The vulnerability exists in versions 0.11.5 and below, as well as version 0.12.0, where decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer.
Critical Impact
Crafted or malformed LZ4 input can expose sensitive data and secrets through out-of-bounds memory reads during decompression operations.
Affected Products
- lz4_flex versions 0.11.5 and below
- lz4_flex version 0.12.0
- Applications using block-based API functions (decompress_into, decompress_into_with_dict) when safe-decode is disabled
Discovery Timeline
- 2026-03-20 - CVE CVE-2026-32829 published to NVD
- 2026-03-20 - Last updated in NVD database
Technical Details for CVE-2026-32829
Vulnerability Analysis
This vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and represents a memory information disclosure flaw in the LZ4 decompression implementation. The root issue lies in insufficient validation of offset parameters during LZ4 match copy operations.
LZ4 compression uses a technique where repeated sequences are encoded as references to previously decompressed data. The decompression routine must copy bytes from earlier positions in the output buffer based on offset values specified in the compressed stream. When these offset values are not properly validated against the current position and buffer boundaries, the decompressor can read memory contents that were never intended to be accessed.
The vulnerability specifically affects the block-based API functions including decompress_into and decompress_into_with_dict, particularly when the safe-decode feature is disabled. Frame-based APIs remain unaffected as they implement additional validation layers.
Root Cause
The root cause is improper input validation of offset values during LZ4 match copy operations in the decompression routine. When processing malformed or crafted LZ4 data, the library fails to verify that offset values point to valid, previously-written portions of the output buffer. This allows an attacker-controlled offset to reference uninitialized memory regions or data from previous decompression operations that remain in the buffer, resulting in information leakage.
Attack Vector
An attacker can exploit this vulnerability by supplying specially crafted LZ4 compressed data to an application using the vulnerable lz4_flex library. The attack occurs over the network as the malformed input can be delivered through any data channel that eventually reaches the decompression function. The attack does not require authentication or user interaction.
The exploitation mechanism involves crafting an LZ4 block with malicious offset values in match copy instructions. When the vulnerable decompression function processes this data, it reads beyond the intended boundaries of legitimately decompressed data, potentially exposing:
- Uninitialized memory contents
- Residual data from previous decompression operations
- Adjacent memory regions containing sensitive application data
This information is then included in the decompression output, effectively exfiltrating memory contents to the attacker.
Detection Methods for CVE-2026-32829
Indicators of Compromise
- Unusual or malformed LZ4 compressed data being processed by applications
- Decompression output containing unexpected data patterns or anomalous content
- Applications using lz4_flex versions 0.11.5 or below, or version 0.12.0
- Error conditions or crashes during LZ4 decompression operations
Detection Strategies
- Monitor application dependencies for lz4_flex versions affected by this vulnerability using cargo audit or similar Rust security tools
- Implement input validation for compressed data before passing to decompression functions
- Review application logs for decompression failures that may indicate exploitation attempts
- Use the RustSec Advisory Database to identify affected crate versions in your projects
Monitoring Recommendations
- Enable verbose logging for decompression operations to capture potential exploitation attempts
- Monitor for unusual network traffic patterns involving compressed data streams
- Implement anomaly detection for decompression output size versus input size ratios
- Track memory access patterns in security-sensitive applications using lz4_flex
How to Mitigate CVE-2026-32829
Immediate Actions Required
- Upgrade lz4_flex to version 0.11.6 or 0.12.1 immediately
- Enable the safe-decode feature flag when using block-based API functions
- Audit applications for use of affected API functions (decompress_into, decompress_into_with_dict)
- Review the GitHub Security Advisory for additional guidance
Patch Information
The vulnerability has been fixed in lz4_flex versions 0.11.6 and 0.12.1. The fix implements proper validation of offset values during match copy operations to prevent out-of-bounds reads. The security patch is available via the GitHub commit.
To update your application, modify your Cargo.toml to require the patched versions and run cargo update to apply the fix.
Workarounds
- Enable the safe-decode feature flag in your Cargo.toml configuration for lz4_flex
- Use frame-based APIs instead of block-based APIs as frame APIs are not affected by this vulnerability
- Implement input sanitization to reject potentially malicious LZ4 data before decompression
- Consider switching to alternative LZ4 implementations temporarily until upgrade is possible
# Update lz4_flex to patched version
cargo update -p lz4_flex
# Alternatively, specify minimum version in Cargo.toml
# For 0.11.x branch: lz4_flex = ">=0.11.6"
# For 0.12.x branch: lz4_flex = ">=0.12.1"
# Run security audit to verify fix
cargo audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
