CVE CyberSecurity Database News

CVE-2025-31115 - Critical Use-After-Free Bug in XZ Utils liblzma Multithreaded Decoder – What You Need to Know

Poster -

XZ Utils is a widely used package for compressing and decompressing files, familiar to anyone who’s handled .xz files in the Linux or Unix world. On March 2025, a critical security bug was discovered and assigned CVE-2025-31115. This bug affects the multithreaded .xz decoder in liblzma, the library that does the heavy lifting for compression and decompression.

The flaw exists in versions 5.3.3alpha through 5.8.. This means millions of systems running popular Linux distributions, as well as applications linking against affected liblzma versions, could be vulnerable.

---

What’s the Vulnerability?

The bug lives in the multithreaded decoder code. The specific function at risk is lzma_stream_decoder_mt. When decoding certain invalid .xz files, the code can free memory it still expects to use (a "use-after-free" bug), and in other cases, it might attempt to write data at an address resulting from adding an offset to a zero/null pointer. Both issues can easily crash your program and, in the right (or wrong) circumstances, open doors for attackers — including possible remote code execution.

Here’s a trimmed and simplified snippet to show how such bugs can occur

// Pseudocode to show the idea, not the buggy code itself!
void *buffer = malloc(size);
// ...
free(buffer);
// ... some other code that still thinks buffer is valid
buffer[] = x42; // Use after free!

In liblzma's case, bugs like this can happen when decompressing bad or specially crafted .xz files with multithreading.

---

Who Is at Risk?

- Any program that uses the multithreaded decoder via lzma_stream_decoder_mt() in affected liblzma versions.

Command-line tools like xz and unxz if used with the --threads= option.

- Third-party backup, packaging, and transfer tools that depend on xz/liblzma.

If you only use the single-threaded decoder, you’re likely safe, but in practice, it’s hard to guarantee all your tools avoid lzma_stream_decoder_mt.

---

How Can This Be Exploited?

An attacker could craft a malicious .xz file that triggers the bug inside the multithreaded decoder. For example, by sending a poisoned archive via email or through file uploads, they could crash your processes, potentially execute their own code, or expose sensitive info from memory.

Here’s a simple example using Python to test for crashes (not a real exploit, but useful for checking):

import subprocess

# Write a minimal bad archive (for demonstration only!)
with open('badtest.xz', 'wb') as f:
    f.write(b'\xfd7zXZ\x00' + b'B' * 100)  # XZ header + garbage

# Try to decompress using affected liblzma version and multithreading
try:
    subprocess.run(['xz', '--threads=2', '-d', 'badtest.xz'], check=True)
except subprocess.CalledProcessError:
    print('Crash likely detected! Affected version in use.')

*Note: Real exploits can be much more sophisticated and could result in silent compromise, not just crashes.*

---

Upgrade immediately to XZ Utils 5.8.1 or later!

- If you’re stuck on an older version, there is a standalone patch you can apply manually to the source code, available from the official git repository that works across old releases.

Avoid opening untrusted .xz archives on critical systems until you’ve patched.

- Audit your dependency chain. Developers: make sure you’re not statically linking in a vulnerable copy of liblzma.

---

References for Deep Dive

- XZ Utils Security Advisory for CVE-2025-31115
- Commit with the Fix
- CVE-2025-31115 Entry on NVD
- xz Git Repository

---

Summary

CVE-2025-31115 is a serious bug in a central piece of Unix/Linux infrastructure. Even if you only occasionally work with .xz files, or run tools that use the multithreaded decoder, you should patch or upgrade immediately. Left unchecked, attackers could target your system with specially crafted files to crash your app or do even greater harm.

Stay safe, and keep your tools up to date!

*This post is an exclusive, easy-to-read summary intended to help technical users and system administrators dodge nasty surprises from the latest XZ Utils vulnerability. Share as needed to protect your team!*

Timeline

Published on: 04/03/2025 17:15:30 UTC
Last modified on: 04/07/2025 14:18:34 UTC