GHSA-vvp9-7p8x-rfvv: lz4_flex's decompression can leak information from uninitialized memory or reused output buffer

March 16, 2026

Decompressing invalid LZ4 data can leak data from uninitialized memory, or can leak content from previous decompression operations when reusing an output buffer.

References

github.com/PSeitz/lz4_flex
github.com/PSeitz/lz4_flex/commit/055502ee5d297ecd6bf448ac91c055c7f6df9b6d
github.com/PSeitz/lz4_flex/security/advisories/GHSA-vvp9-7p8x-rfvv
github.com/advisories/GHSA-vvp9-7p8x-rfvv

Code Behaviors & Features

Detect and mitigate GHSA-vvp9-7p8x-rfvv with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →