Nixpkgs security tracker

Untriaged

Permalink CVE-2025-15571

3.3 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

ckolivas lrzip stream.c ucompthread null pointer dereference

A security vulnerability has been detected in ckolivas lrzip up to 0.651. This vulnerability affects the function ucompthread of the file stream.c. Such manipulation leads to null pointer dereference. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-344931 | ckolivas lrzip stream.c ucompthread null pointer dereference vdb-entrytechnical-description
VDB-344931 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #752603 | ckolivas lrzip 0.651 NULL Pointer Dereference third-party-advisory
https://github.com/ckolivas/lrzip/issues/263 issue-tracking
https://github.com/user-attachments/files/21726331/PoC_NPD.zip exploit
https://github.com/ckolivas/lrzip/ product

Affected products

lrzip

==0.651

Matching in nixpkgs

pkgs.lrzip

CK LRZIP compression program (LZMA + RZIP)

nixos-unstable 0.651
- nixpkgs-unstable 0.651
- nixos-unstable-small 0.651
nixos-25.11 0.651
- nixpkgs-25.11-darwin 0.651

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.lrzip