First published: Mon Mar 28 2022(Updated: )
lrzip v0.641 was discovered to contain a multiple concurrency use-after-free between the functions zpaq_decompress_buf() and clear_rulist(). This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted Irz file.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/lrzip | 0.631+git180528-1+deb10u1 0.641-1+deb11u1 0.651-2 | |
Long Range Zip Project Long Range Zip | =0.641 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Debian Debian Linux | =11.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this lrzip vulnerability is CVE-2022-26291.
CVE-2022-26291 has a severity level of medium with a value of 5.5.
The affected software for CVE-2022-26291 is lrzip v0.641.
This vulnerability can be exploited by attackers using a crafted Irz file to cause a Denial of Service (DoS) through a multiple concurrency use-after-free.
To fix CVE-2022-26291, update to one of the following versions: lrzip v0.631+git180528-1+deb10u1, lrzip v0.641-1+deb11u1, or lrzip v0.651-2.