VDB
ALPINE-CVE-2021-3520
ALPINE-CVE-2021-3520
PUBLISHED
CVSS 9.800000190734863 CRITICAL
There's a flaw in lz4. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The greatest impact of this flaw is to availability, with some potential impact to confidentiality and integrity as well.
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.20 | lz4 | 0, 1.7.5-r0, 1.8.0-r0 |
| Alpine:v3.17 | lz4 | 1.8.3, 1.9.3-r0, 1.9.2-r0 |
| Alpine:v3.21 | lz4 | 0, 1.7.5-r0, 1.8.0-r0 |
| Alpine:v3.19 | lz4 | 1.9.2-r0, 0, 1.7.5-r0 |
| Alpine:v3.18 | lz4 | 1.7.5-r0, 1.8.3, 1.9.3-r0 |
| Alpine:v3.12 | lz4 | 1.8.3-r0, 1.8.3, 1.9.2-r0 |
| Alpine:v3.24 | lz4 | 1.8.3 |
| Alpine:v3.14 | lz4 | 0, 1.7.5-r0, 1.8.0-r0 |
| Alpine:v3.13 | lz4 | 1.8.3-r2, 0, 1.7.5-r0 |
| Alpine:v3.15 | lz4 | 0, 1.7.5-r0, 1.9.2-r0 |
| Alpine:v3.23 | lz4 | 1.8.1-r0, 0, 1.8.0-r1 |
| Alpine:v3.16 | lz4 | 0, 1.8.0-r0, 1.8.0-r1 |
| Alpine:v3.22 | lz4 | 1.9.3-r0, 0, 1.8.3 |
Timeline
- Jun 2, 2021 CVE Published
- Apr 30, 2026 Distribution Patch
- Jul 8, 2026 CVE Updated