A memory management flaw in XZ Utils (CVE-2026-34743, CVSS 5.3 MEDIUM) occurs when appending data to a decoded index with no records, potentially leading to a crash or arbitrary code execution. The vulnerability affects tukaani xz versions prior to 5.8.3. The fix is to upgrade XZ Utils to version 5.8.3.
Ubuntu Security Notices USN-8362-1 USN-8362-1: XZ Utils vulnerability Publication date 2 June 2026 Overview XZ Utils could be made to crash or run programs as your login if it received specially crafted input. Releases 25.10 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS 14.04 LTS Open side navigation Close side navigation Packages Details Update instructions References Packages xz-utils - XZ-format compression utilities Details It was discovered that XZ Utils did not properly manage memory when attempting to append data to a decoded index that contained no records. An attacker could possibly use this issue to cause XZ Utils to crash, resulting in a denial of service, or execute arbitrary code. It was discovered that XZ Utils did not properly manage memory when attempting to append data to a decoded index that contained no records. An attacker could possibly use this issue to cause XZ Utils to crash, resulting in a denial of service, or execute arbitrary code. Update instructions In general, a standard system update will make all the necessary changes. Learn more about how to get the fixes. The problem can be corrected by updating your system to the following package versions: Ubuntu Release Package Version 25.10 questing liblzma5 β 5.8.1-1ubuntu0.1 xz-utils β 5.8.1-1ubuntu0.1 xzdec β 5.8.1-1ubuntu0.1 24.04 LTS noble liblzma5 β 5.6.1+really5.4.5-1ubuntu0.3 xz-utils β 5.6.1+really5.4.5-1ubuntu0.3 xzdec β 5.6.1+really5.4.5-1ubuntu0.3 22.04 LTS jammy liblzma5 β 5.2.5-2ubuntu1.1 xz-utils β 5.2.5-2ubuntu1.1 xzdec β 5.2.5-2ubuntu1.1 20.04 LTS focal liblzma5 β 5.2.4-1ubuntu1.1+esm1 Ubuntu Pro Fix available with Ubuntu Pro . xz-utils β 5.2.4-1ubuntu1.1+esm1 Ubuntu Pro Fix available with Ubuntu Pro . xzdec β 5.2.4-1ubuntu1.1+esm1 Ubuntu Pro Fix available with Ubuntu Pro . 18.04 LTS bionic liblzma5 β 5.2.2-1.3ubuntu0.1+esm1 Ubuntu Pro Fix available with Ubuntu Pro . xz-utils β 5.2.2-1.3ubuntu0.1+esm1 Ubuntu Pro Fix available with Ubuntu Pro . 16.04 LTS xenial liblzma5 β 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. xz-utils β 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. xzdec β 5.1.1alpha+20120614-2ubuntu2.16.04.1+esm2 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. 14.04 LTS trusty liblzma5 β 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. xz-utils β 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. xzdec β 5.1.1alpha+20120614-2ubuntu2.14.04.1+esm2 Ubuntu Pro Fix available with Ubuntu Pro via Legacy Support add-on. Reduce your security exposure Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines. Get Ubuntu Pro References CVE-2026-34743 CVE-2026-34743