CVE-2026-32829 from lz4_flex@0.12.0

[zach-cribl]

Summary

@platformatic/wasm-utils depends on rust crate lz4_flex version 0.12.0 (Cargo.lock), this version of lz4_flex has a high CVE filed against it: CVE-2026-32829. This vulnerability leaks arbitrary memory contents when certain library APIs are used. To the best of my analysis, wasm-utils is not impacted by this vulnerability as it only uses the Frame APIs which are not impacted.

Analysis

My code read is that wasm-utils is using an affected lz4_flex version, but the current code path appears not vulnerable to this specific CVE exploit path.

Cargo.toml:12

[dependencies]
  lz4_flex = "0.12.0"

lib.rs:6-7

use lz4_flex::frame::{FrameDecoder, FrameEncoder};

lib.rs:48-53

pub extern "C" fn lz4_decompress(ptr: *const u8, len: usize) -> u64 {
  let input = unsafe { core::slice::from_raw_parts(ptr, len) };
  let mut output = vec![];
  let mut decoder = FrameDecoder::new(input);
  decoder.read_to_end(&mut output).unwrap();

• Version status: native/Cargo.toml and native/Cargo.lock resolve lz4_flex to 0.12.0, which is in the advisory’s affected range (>=0.12.0 <0.12.1).
• API usage status: the Rust library uses lz4_flex::frame::* APIs, and the advisory explicitly says frame APIs are not affected.

References

https://crates.io/crates/lz4_flex/security
https://nvd.nist.gov/vuln/detail/CVE-2026-32829
https://crates.io/crates/lz4_flex/0.12.0

[ShogunPanda]

Fixed in #9