{"id":"CVE-2020-22916","details":"An issue discovered in XZ 5.2.5 allows attackers to cause a denial of service via decompression of a crafted file. NOTE: the vendor disputes the claims of \"endless output\" and \"denial of service\" because decompression of the 17,486 bytes always results in 114,881,179 bytes, which is often a reasonable size increase.","modified":"2026-04-10T04:24:45.947869Z","published":"2023-08-22T19:16:19.407Z","references":[{"type":"WEB","url":"https://security-tracker.debian.org/tracker/CVE-2020-22916"},{"type":"WEB","url":"https://tukaani.org/xz/"},{"type":"WEB","url":"http://web.archive.org/web/20230918084612/https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2234987"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1214590"},{"type":"REPORT","url":"https://github.com/tukaani-project/xz/issues/61"},{"type":"PACKAGE","url":"https://github.com/snappyJack/CVE-request-XZ-5.2.5-has-denial-of-service-vulnerability"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.tukaani.org/xz.git","events":[{"introduced":"0"},{"last_affected":"2327a461e1afce862c22269b80d3517801103c1b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.2.5"}]}}],"versions":["v4.42.2alpha","v4.999.3alpha","v4.999.5alpha","v4.999.7beta","v4.999.8beta","v4.999.9beta","v5.0.0","v5.1.0alpha","v5.1.1alpha","v5.1.2alpha","v5.1.3alpha","v5.1.4beta","v5.2.0","v5.2.1","v5.2.2","v5.2.3","v5.2.4","v5.2.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-22916.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}