{"id":"RUSTSEC-2022-0051","summary":"Memory corruption in liblz4","details":"lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to\n[CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520).\n\nAttackers could craft a payload that triggers an integer overflow upon\ndecompression, causing an out-of-bounds write.\n\nThe flaw has been corrected in version v1.9.4 of liblz4, which is included\nin lz4-sys 1.9.4.","aliases":["GHSA-9q5j-jm53-v7vr"],"modified":"2026-02-04T03:20:40.494417Z","published":"2022-08-25T12:00:00Z","related":["CVE-2021-3520"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/lz4-sys"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2022-0051.html"},{"type":"WEB","url":"https://github.com/lz4/lz4/pull/972"}],"affected":[{"package":{"name":"lz4-sys","ecosystem":"crates.io","purl":"pkg:cargo/lz4-sys"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"1.9.4"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2022-0051.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","informational":null,"categories":["memory-corruption"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}