{ "threat_severity" : "Important", "public_date" : "2026-03-16T20:48:08Z", "bugzilla" : { "description" : "lz4_flex: lz4_flex's decompression can leak information from uninitialized memory or reused output buffer", "id" : "2448271", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2448271" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-823", "details" : [ "lz4_flex is a pure Rust implementation of LZ4 compression/decompression. In versions 0.11.5 and below, and 0.12.0, decompressing invalid LZ4 data can leak sensitive information from uninitialized memory or from previous decompression operations. The library fails to properly validate offset values during LZ4 \"match copy operations,\" allowing out-of-bounds reads from the output buffer. The block-based API functions (`decompress_into`, `decompress_into_with_dict`, and others when `safe-decode` is disabled) are affected, while all frame APIs are unaffected. The impact is potential exposure of sensitive data and secrets through crafted or malformed LZ4 input. This issue has been fixed in versions 0.11.6 and 0.12.1." ], "statement" : "In RHEL 9 and RHEL 10, this vulnerability presents minimal risk as the rust-analyzer component operates in a \"closed loop,\" strictly decompressing its own internal database. Because it does not process external or untrusted data, exploitation requires an attacker to already possess local access and sufficient privileges to tamper with the internal cache files on disk.", "affected_release" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift 6.2", "release_date" : "2026-04-29T00:00:00Z", "advisory" : "RHSA-2026:11800", "cpe" : "cpe:/a:redhat:logging:6.2::el9", "package" : "openshift-logging/vector-rhel9:1776894389" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift 6.5", "release_date" : "2026-05-12T00:00:00Z", "advisory" : "RHSA-2026:16354", "cpe" : "cpe:/a:redhat:logging:6.5::el9", "package" : "openshift-logging/vector-rhel9:1777574710" }, { "product_name" : "Red Hat OpenShift AI 3.3", "release_date" : "2026-05-20T00:00:00Z", "advisory" : "RHSA-2026:19712", "cpe" : "cpe:/a:redhat:openshift_ai:3.3::el9", "package" : "rhoai/odh-llm-d-inference-scheduler-rhel9:1778263962" } ], "package_state" : [ { "product_name" : "OpenShift Lightspeed", "fix_state" : "Will not fix", "package_name" : "openshift-lightspeed/lightspeed-service-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Will not fix", "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "rust", "cpe" : "cpe:/o:redhat:enterprise_linux:10", "impact" : "low" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "rust", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "impact" : "low" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-model-registry-job-async-upload-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-32829\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32829\nhttps://github.com/PSeitz/lz4_flex\nhttps://github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d\nhttps://github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv" ], "name" : "CVE-2026-32829", "csaw" : false }