#VU53439 Integer overflow in LZ4


Published: 2021-05-24 | Updated: 2023-03-31

Vulnerability identifier: #VU53439

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3520

CWE-ID: CWE-190

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
LZ4
Client/Desktop applications / Software for archiving

Vendor: LZ4

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in the fast LZ compression algorithm library. A remote attacker can pass specially crafted archive, trick the victim into opening it, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

LZ4: 1.8.0 - 1.9.3

External links
http://github.com/lz4/lz4/pull/972
http://github.com/lz4/lz4/commit/8301a21773ef61656225e264f4f06ae14462bca7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Splunk Enterprise update for third-party packages
Splunk Universal Forwarder update for third-party packages
Multiple vulnerabilities in librdkafka
Multiple vulnerabilities in API Portal
Multiple vulnerabilities in Red Hat Integration Camel-K
Multiple vulnerabilities in IBM Cloud Pak for Security
Multiple vulnerabilities in Red Hat Service Telemetry Framework
Multiple vulnerabilities in Red Hat Integration Camel Extensions for Quarkus 2.7
Multiple vulnerabilities in Oracle Communications Cloud Native Core Policy
Multiple vulnerabilities in IBM Security Verify Access