VDB

ALPINE-CVE-2021-3520

ALPINE-CVE-2021-3520 PUBLISHED CVSS 9.800000190734863 CRITICAL

There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.

Risk Scores

CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.20lz40, 1.7.5-r0, 1.8.0-r0
Alpine:v3.17lz41.8.3, 1.9.3-r0, 1.9.2-r0
Alpine:v3.21lz40, 1.7.5-r0, 1.8.0-r0
Alpine:v3.19lz41.9.2-r0, 0, 1.7.5-r0
Alpine:v3.18lz41.7.5-r0, 1.8.3, 1.9.3-r0
Alpine:v3.12lz41.8.3-r0, 1.8.3, 1.9.2-r0
Alpine:v3.24lz41.8.3
Alpine:v3.14lz40, 1.7.5-r0, 1.8.0-r0
Alpine:v3.13lz41.8.3-r2, 0, 1.7.5-r0
Alpine:v3.15lz40, 1.7.5-r0, 1.9.2-r0
Alpine:v3.23lz41.8.1-r0, 0, 1.8.0-r1
Alpine:v3.16lz40, 1.8.0-r0, 1.8.0-r1
Alpine:v3.22lz41.9.3-r0, 0, 1.8.3

Timeline

  • Jun 2, 2021 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jul 8, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›