CVE-2026-32829

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 "match copy operations," allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1.

Decompressing invalid LZ4 data with the block API can leak data from uninitialized memory, or leak content from previous decompression operations when reusing an output buffer. The LZ4 block format defines a "match copy operation" which duplicates previously written data or data from a user-supplied dict. The position of that data is defined by an _offset_. `lz4_flex` did not properly validate _offset_ values, causing it to copy data from outside the initialized portion of the output buffer. Two scenarios are affected: - Decompressing with the `unsafe` implementation (`safe-decode` feature flag disabled, which is the default): can leak content of uninitialized memory as part of the decompressed result. - Decompressing into a reused, user-supplied output buffer (also affects `safe-decode`): can leak the previous contents of the output buffer as part of the decompressed result. Only the block-based APIs are affected. All frame APIs are unaffected. The flaw was corrected in versions 0.11.6 and 0.12.1 by properly validating offset values during decompression. If upgrading is not possible, the issue can be mitigated by zeroing the output buffer before each call to the affected functions and enabling the `safe-decode` feature flag.

### Summary Decompressing invalid LZ4 data can leak data from uninitialized memory, or can leak content from previous decompression operations when reusing an output buffer. ### Details The LZ4 block format defines a "match copy operation" which duplicates previously written data or data from the user-supplied dict. The position of that data is defined by an _offset_. The data is copied within the output buffer from the _offset_ to the current output position. However, lz4_flex did not properly detect invalid and out-of-bounds _offset_ values properly, causing it to copy uninitialized data from the output buffer. Only the block based API functions are affected: `lz4_flex::block::{decompress_into, decompress_into_with_dict}` When safe-decode is disabled _additionally_ these functions are affected `lz4_flex::block::{decompress, decompress_with_dict, decompress_size_prepended, decompress_size_prepended_with_dict}` All `frame` APIs are _not_ affected. There are two affected use cases: - decompressing LZ4 data with the `unsafe` implementation (`safe-decode` feature flag disabled, which is enabled by default): can leak content of uninitialized memory as decompressed result - decompressing LZ4 data into a reused, user-supplied `output` buffer (affects the `safe-decode` feature as well): can leak the previous contents of the output buffer as decompressed result ### Impact Leakage of data from uninitialized memory or content from previous decompression operations, possibly revealing sensitive information and secrets. ### Mitigation lz4_flex 0.12.1 and 0.11.6 fixes this issue without requiring changes in user code. If you cannot upgrade, you can mitigate this vulnerability by zeroing the output buffer before calling `block::decompress_into` or `block::decompress_into_with_dict` (only block based API is affected, frame API is not affected). Additionally the the `safe-decode` feature flag should be enabled.

lz4_flex es una implementación pura en Rust de compresión/descompresión LZ4. En las versiones 0.11.5 e inferiores, y 0.12.0, la descompresión de datos LZ4 no válidos puede filtrar información sensible de memoria no inicializada o de operaciones de descompresión anteriores. La biblioteca no valida correctamente los valores de desplazamiento durante las 'operaciones de copia de coincidencia' de LZ4, permitiendo lecturas fuera de límites del búfer de salida. Las funciones API basadas en bloques ('decompress_into', 'decompress_into_with_dict', y otras cuando 'safe-decode' está deshabilitado) se ven afectadas, mientras que todas las API de trama no se ven afectadas. El impacto es la exposición potencial de datos sensibles y secretos a través de entradas LZ4 manipuladas o malformadas. Este problema ha sido solucionado en las versiones 0.11.6 y 0.12.1.