The vulnerability CVE-2026-32829 affects lz4_flex, a Rust-native implementation of the LZ4 compression algorithm. Specifically, in versions prior to 0.11.6 and between 0.12.0 and 0.12.1, the library fails to properly validate offset values during 'match copy operations' in block-based decompression APIs such as decompress_into and decompress_into_with_dict when the 'safe-decode' feature is disabled. This improper validation leads to out-of-bounds reads from the output buffer, which can cause the decompression function to leak sensitive information residing in uninitialized memory or leftover data from previous decompression operations. The vulnerability is categorized under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-823 (Use of Out-of-bounds Pointer). Notably, the frame-based APIs of lz4_flex are not affected. The flaw can be triggered remotely by an attacker supplying crafted or malformed LZ4 compressed data, without requiring authentication or user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality. The vulnerability was publicly disclosed on March 20, 2026, and fixed in versions 0.11.6 and 0.12.1. No known exploits have been reported in the wild as of now. This vulnerability poses a risk of sensitive data leakage, which could include secrets or other confidential information present in memory buffers during decompression.

The primary impact of CVE-2026-32829 is the potential unauthorized disclosure of sensitive information from memory during decompression operations using vulnerable versions of lz4_flex. Organizations that use lz4_flex for compression/decompression in security-sensitive contexts—such as handling confidential data, cryptographic keys, or personal information—are at risk of data leakage if they use affected versions with block-based APIs and have disabled safe-decode. Since exploitation requires only supplying crafted compressed data, attackers can remotely trigger the vulnerability without authentication or user interaction, increasing the risk surface. This could lead to exposure of secrets, intellectual property, or personally identifiable information, undermining confidentiality guarantees. While the vulnerability does not affect integrity or availability directly, the confidentiality breach can have severe consequences including regulatory non-compliance, reputational damage, and potential follow-on attacks leveraging leaked secrets. The lack of known exploits in the wild suggests limited current exploitation, but the high CVSS score and ease of exploitation warrant immediate remediation. The impact is especially critical in environments where lz4_flex is embedded in network-facing services or software processing untrusted compressed inputs.

To mitigate CVE-2026-32829, organizations should immediately upgrade lz4_flex to versions 0.11.6 or later, or 0.12.1 or later, where the vulnerability is fixed. Review all usage of the block-based decompression APIs (e.g., decompress_into, decompress_into_with_dict) and ensure the 'safe-decode' feature is enabled to enforce strict offset validation. If upgrading is not immediately possible, consider restricting or sanitizing inputs to the decompression functions to prevent processing of malformed or crafted LZ4 data. Conduct code audits to identify any custom usage of lz4_flex that disables safe-decode or uses unsafe decompression paths. Implement runtime monitoring and anomaly detection for unusual decompression errors or memory access patterns. Additionally, segregate systems handling compressed data from sensitive environments to limit potential data leakage. Finally, maintain an inventory of software components using lz4_flex to ensure timely patching and vulnerability management.