The vulnerability CVE-2026-32829 affects the lz4_flex library, a pure Rust implementation of the LZ4 compression algorithm. Specifically, in versions 0.11.5 and below, and 0.12.0, the library's block-based decompression APIs (such as decompress_into and decompress_into_with_dict) improperly validate offset parameters during LZ4 match copy operations. This leads to out-of-bounds reads from the output buffer, which can cause leakage of sensitive information residing in uninitialized memory or leftover data from prior decompression tasks. The root cause is the lack of bounds checking on the offset values used to copy matches within the decompressed output, violating safe memory access principles. Notably, this issue only affects block-based APIs when the safe-decode feature is disabled; all frame-based APIs remain secure. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data) and CWE-823 (Use of Out-of-bounds Pointer). The CVSS 4.0 base score is 8.2, reflecting high severity due to network vector, no required privileges or user interaction, and high impact on confidentiality. Although no known exploits have been reported in the wild, the flaw allows remote attackers to craft malicious LZ4 compressed data that, when decompressed, can leak sensitive memory contents. The vendor has addressed the issue in versions 0.11.6 and 0.12.1 by implementing proper offset validation and bounds checking.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information from memory during decompression operations. Organizations that use lz4_flex for compression/decompression in security-sensitive contexts—such as handling confidential data, cryptographic keys, or personal information—risk exposure of secrets if they rely on vulnerable versions. Since exploitation requires only supplying crafted compressed data, attackers can remotely trigger information leaks without authentication or user interaction. This can lead to data breaches, loss of confidentiality, and erosion of trust. The vulnerability may also facilitate further attacks if leaked data includes credentials or cryptographic material. Systems embedding lz4_flex in client-server applications, cloud services, or embedded devices are particularly at risk. Although no active exploitation is known, the ease of exploitation and high confidentiality impact make this a critical concern for developers and organizations using the affected library versions.

To mitigate this vulnerability, organizations should immediately upgrade lz4_flex to versions 0.11.6 or 0.12.1 or later, where the issue is fixed. Developers should audit their codebases to identify usage of block-based decompression APIs, especially where the safe-decode feature is disabled, and transition to frame-based APIs if feasible, as these are unaffected. Enabling safe-decode mode provides additional protection by enforcing stricter validation. It is also advisable to implement input validation and integrity checks on compressed data before decompression to detect malformed inputs. For critical environments, consider sandboxing decompression operations to limit potential data exposure. Monitoring for unusual decompression activity and applying strict access controls on services accepting compressed data can further reduce risk. Finally, maintain an inventory of software dependencies to ensure timely patching of vulnerable components.