VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-wp5w-6mar-7fbf

Essentials
Severities (76)
References (16)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-wp5w-6mar-7fbf
Aliases	CVE-2025-31115
Summary	XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
Status	Published
Exploitability	0.5
Weighted Severity	7.8
Risk	3.9
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-366	Race Condition within a Thread
CWE-416	Use After Free
CWE-476	NULL Pointer Dereference
CWE-826	Premature Release of Resource During Expected Lifetime

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31115.json
epss	0.0005	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00051	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00067	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00067	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00067	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00067	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00067	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00067	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00095	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00106	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00117	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
epss	0.00128	https://api.first.org/data/v1/epss?cve=CVE-2025-31115
cvssv3.1	8.2	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv4	8.7	https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
ssvc	Track	https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
cvssv4	8.7	https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
ssvc	Track	https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
archlinux	Medium	https://security.archlinux.org/AVG-2860
archlinux	Medium	https://security.archlinux.org/AVG-2861
cvssv4	8.7	https://tukaani.org/xz/xz-cve-2025-31115.patch
ssvc	Track	https://tukaani.org/xz/xz-cve-2025-31115.patch

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31115.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-31115
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		http://www.openwall.com/lists/oss-security/2025/04/03/1
		http://www.openwall.com/lists/oss-security/2025/04/03/2
		http://www.openwall.com/lists/oss-security/2025/04/03/3
2357249		https://bugzilla.redhat.com/show_bug.cgi?id=2357249
AVG-2860		https://security.archlinux.org/AVG-2860
AVG-2861		https://security.archlinux.org/AVG-2861
CVE-2025-31115		https://nvd.nist.gov/vuln/detail/CVE-2025-31115
d5a2ffe41bb77b918a8c96084885d4dbe4bf6480		https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480
GHSA-6cc8-p5mm-29w2		https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2
GLSA-202504-01		https://security.gentoo.org/glsa/202504-01
RHSA-2025:7524		https://access.redhat.com/errata/RHSA-2025:7524
USN-7414-1		https://usn.ubuntu.com/7414-1/
xz-cve-2025-31115.patch		https://tukaani.org/xz/xz-cve-2025-31115.patch

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31115.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T17:57:35Z/ Found at https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T17:57:35Z/ Found at https://github.com/tukaani-project/xz/security/advisories/GHSA-6cc8-p5mm-29w2

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N Found at https://tukaani.org/xz/xz-cve-2025-31115.patch

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-03T17:57:35Z/ Found at https://tukaani.org/xz/xz-cve-2025-31115.patch

Exploit Prediction Scoring System (EPSS)

Percentile	0.12791
EPSS Score	0.0005
Published At	April 4, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2025-04-03T10:44:38.029299+00:00	SUSE Severity Score Importer	Import	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml	36.0.0