CVE-2019-12900
MEDIUM4.0EPSS 1.1%out-of-bounds write when there are many bzip2 selectors
Published: 11/14/2025Modified: 4/28/2026
Description
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
Affected packages (6)
- Alpine/bzip2from 0, < 1.0.6-r7
- Debian/bzip2from 0, < 1.0.6-9.1
- Debian/clamavfrom 0, < 0.101.4+dfsg-1
- Hackage/bz2>= 0.1.0.0, < 1.0.1.1
- Hackage/bzlib>= 0.4, < 0.5.2.0
- Hackage/bzlib-conduit>= 0.1.0.0, < 0.3.0.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.0 | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
References (6)
- ADVISORYhttps://access.redhat.com/security/cve/cve-2019-12900
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-12900
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-12900
- PATCHhttps://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184
- WEBhttp://scary.beasts.org/security/CESA-2008-005.html
- WEBhttps://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/