CVE-2025-31115

Publication date 3 April 2025

Last updated 3 April 2025

Ubuntu priority

The threaded .xz decoder in liblzma has a bug that can at least result in a crash (denial of service). The effects include heap use after free and writing to an address based on the null pointer plus an offset.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
xz-utils	24.10 oracular	Fixed 5.6.2-2ubuntu0.2
	24.04 LTS noble	Fixed 5.6.1+really5.4.5-1ubuntu0.2
	22.04 LTS jammy	Not affected
	20.04 LTS focal	Not affected
	18.04 LTS bionic	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not affected

How can I get the fixes?
What do statuses mean?

Notes

mdeslaur

per upstream, affects 5.3.3alpha to 5.8.0

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-7414-1
XZ Utils vulnerability
3 April 2025

Other references

https://www.cve.org/CVERecord?id=CVE-2025-31115