A vulnerability was found in lz4. lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520. This vulnerability affects the function memmove. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash.
Risk: The manipulation of the argument size with an unknown input leads to a out-of-bounds write vulnerability. This will have an impact on availability, integrity and confidentiality
A vulnerability was found in lz4. lz4-sys up to v1.9.3 bundles a version of liblz4 that is vulnerable to CVE-2021-3520. This vulnerability affects the function memmove. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash.
Risk: The manipulation of the argument size with an unknown input leads to a out-of-bounds write vulnerability. This will have an impact on availability, integrity and confidentiality
Links: CVE-2021-3520 https://www.mend.io/vulnerability-database/CVE-2021-3520