CVE-2025-31115: CWE-366: Race Condition within a Thread in tukaani-project xz
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
AI Analysis
Technical Summary
The vulnerability CVE-2025-31115 involves a race condition in the multithreaded .xz decoder of the liblzma library used by XZ Utils versions 5.3.3alpha through 5.8.0. This bug allows invalid input to trigger heap use after free and writes based on null pointer offsets, leading to application crashes. The flaw affects any software using the lzma_stream_decoder_mt function for multithreaded decoding. The issue has been addressed and fixed in XZ Utils version 5.8.1, with the fix committed to the main development branches. While no new stable branch releases will be made, a standalone patch is provided for all affected versions.
Potential Impact
The vulnerability can cause crashes in applications using the affected multithreaded decoder due to heap use after free and null pointer dereferences. This may lead to denial of service or instability in software relying on the lzma_stream_decoder_mt function. There is no evidence of exploitation in the wild or additional impact such as code execution reported.
Mitigation Recommendations
A fix is available in XZ Utils version 5.8.1. Users and developers should upgrade to this version to remediate the vulnerability. For those unable to upgrade, a standalone patch is available that applies to all affected releases. No other mitigation or temporary workaround is indicated by the vendor advisory.
CVE-2025-31115: CWE-366: Race Condition within a Thread in tukaani-project xz
Description
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2025-31115 involves a race condition in the multithreaded .xz decoder of the liblzma library used by XZ Utils versions 5.3.3alpha through 5.8.0. This bug allows invalid input to trigger heap use after free and writes based on null pointer offsets, leading to application crashes. The flaw affects any software using the lzma_stream_decoder_mt function for multithreaded decoding. The issue has been addressed and fixed in XZ Utils version 5.8.1, with the fix committed to the main development branches. While no new stable branch releases will be made, a standalone patch is provided for all affected versions.
Potential Impact
The vulnerability can cause crashes in applications using the affected multithreaded decoder due to heap use after free and null pointer dereferences. This may lead to denial of service or instability in software relying on the lzma_stream_decoder_mt function. There is no evidence of exploitation in the wild or additional impact such as code execution reported.
Mitigation Recommendations
A fix is available in XZ Utils version 5.8.1. Users and developers should upgrade to this version to remediate the vulnerability. For those unable to upgrade, a standalone patch is available that applies to all affected releases. No other mitigation or temporary workaround is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-03-26T15:04:52.624Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a031edecbff5d8610deb8b5
Added to database: 5/12/2026, 12:36:46 PM
Last enriched: 5/12/2026, 12:51:42 PM
Last updated: 5/14/2026, 6:51:22 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.