CVE-2021-3520

CRITICAL9.8EPSS 0.14%

Memory corruption in liblz4

Published: 8/25/2022Modified: 2/4/2026

Also known as:GHSA-9q5j-jm53-v7vr DSA-4919-1ALPINE-CVE-2021-3520DEBIAN-CVE-2021-3520RUSTSEC-2022-0051

Description

lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to [CVE-2021-3520](https://nvd.nist.gov/vuln/detail/CVE-2021-3520). Attackers could craft a payload that triggers an integer overflow upon decompression, causing an out-of-bounds write. The flaw has been corrected in version v1.9.4 of liblz4, which is included in lz4-sys 1.9.4.

Affected packages (5)

Alpine/lz4from 0, < 1.9.2-r1
crates.io/lz4-sys>= 0.0.0-0, < 1.9.4
Debian/lz4from 0, < 1.9.3-2
Debian/lz4from 0, < 0.0~r131-2+deb9u1
Debian/lz4from 0, < 1.8.3-1+deb10u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://rustsec.org/advisories/RUSTSEC-2022-0051.html
ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-3520
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3520
PATCHhttps://crates.io/crates/lz4-sys
WEBhttps://github.com/lz4/lz4/pull/972