CVE-2025-31115: XZ Utils Hit Again with High-Severity Multithreaded Decoder Bug

This security issue gives an attacker the ability to cause system crashes or achieve arbitrary code execution by exploiting a heap use-after-free vulnerability within the XZ Utils multithreaded decoder when it processes specially crafted invalid input. The following protection guardrails can further prevent the following steps an attacker can take: Should an attacker successfully exploit this vulnerability to execute their own code, Reverse Shell Protection helps prevent them from establishing an interactive command channel back to their system, for instance, by blocking attempts to redirect a shell's input and output to a network socket. If the compromised process, now under attacker control, attempts to communicate with a command-and-control server or exfiltrate sensitive data, Process Socket Deny helps prevent these unauthorized outbound network connections. If this vulnerability is exploited within a containerized application, Container Drift Protection (Binaries & Scripts) helps prevent the execution of any new malicious tools or scripts that were not part of the original container image, such as those an attacker might download after gaining initial access. Furthermore, Process Path Exec Allow helps prevent the attacker from running their malicious payloads from unauthorized file system locations, such as temporary directories, which is a common tactic after achieving code execution. Finally, if the attacker attempts to run known hacking tools or utilities often abused for malicious purposes, such as network reconnaissance tools or unauthorized downloaders, Process Exec Deny helps prevent the execution of these specific forbidden processes by blocking those whose names or path suffixes appear on a deny list.

• T1203: Exploitation for Client Execution: The article describes a vulnerability in XZ Utils where the multithreaded decoder function lzmastreamdecoder_mt mishandles invalid input, leading to a heap use-after-free condition. This condition can cause memory corruption or crashes, which attackers could exploit to execute arbitrary code. This aligns with the MITRE ATT&CK technique of Exploitation for Client Execution (T1203), where vulnerabilities are exploited to execute code on a system.
• T1068: Exploitation for Privilege Escalation: The article mentions that the vulnerability could lead to 'writing to an address based on the null pointer plus an offset,' which implies memory corruption. This behavior is indicative of the MITRE ATT&CK technique of Exploitation for Privilege Escalation (T1068), where vulnerabilities are used to elevate privileges by corrupting memory or executing code with higher privileges.

F1: Denial of Service (DoS) attack exploiting CVE-2025-31115 by causing a crash in applications using the multithreaded decoder of XZ Utils.

• Attacker identifies a target application or system that utilizes an affected version of XZ Utils (5.3.3alpha to 5.8.0) and specifically employs the lzmastreamdecoder_mt function for decompressing .xz or .lzma files. (Cited from: "impacts XZ Utils versions 5.3.3alpha to 5.8.0", "applications and systems using the lzmastreamdecoder_mt function in liblzma")
• Attacker crafts a malicious compressed file (e.g., an .xz file) containing "invalid input" specifically designed to trigger the heap use-after-free vulnerability in the multithreaded decoder. (Cited from: "invalid input can at least result in a crash", "heap use-after-free bug in its multithreaded decoder")
• Attacker delivers this malicious file to the target system or application. This could be via direct upload, email attachment, or by placing it where the application automatically processes files.
• The target application attempts to decompress the malicious file using the vulnerable lzmastreamdecoder_mt function.
• The processing of the "invalid input" by the decoder triggers the heap use-after-free condition, leading to a crash of the application or system process. (Cited from: "invalid input can at least result in a crash")
  • BR-81: Kernel CET/Shadow Stack Guard - This mechanism could apply if the memory corruption resulting from the heap use-after-free in user-space is severe enough to destabilize kernel operations or if an attacker attempts to leverage the resulting crash or limited control to trigger a kernel-level Return-Oriented Programming (ROP) attack. BR-81 protects against such kernel ROP attacks on Intel CPUs by ensuring return address integrity.
  • BR-73: Kernel CET/IBT Guard - This mechanism could apply if the user-space memory corruption or subsequent exploitation attempts lead to an attack on the kernel involving Jump-Oriented Programming (JOP) or manipulation of indirect branches. BR-73 protects the Linux kernel's control flow integrity for indirect branches on Intel CPUs.

​

F2: Memory corruption attack exploiting CVE-2025-31115, potentially leading to arbitrary code execution by leveraging the heap use-after-free vulnerability.

• Attacker targets an application or system known to use XZ Utils versions 5.3.3alpha to 5.8.0 with its multithreaded decoder (lzmastreamdecoder_mt). (Cited from: "impacts XZ Utils versions 5.3.3alpha to 5.8.0", "applications and libraries that utilize the lzmastreamdecoder_mt function")
• Attacker crafts a sophisticated malicious compressed file with specific "invalid input". This input is designed to exploit the vulnerability leading to "heap use after free and writing to an address based on the null pointer plus an offset". (Cited from: "invalid input", "heap use after free and writing to an address based on the null pointer plus an offset")
• Attacker introduces the crafted file into the target application's processing workflow.
• Upon decompression with lzmastreamdecoder_mt, the vulnerability is triggered, causing targeted memory corruption. (Cited from: "corrupt memory")
• The attacker aims for this memory corruption to alter critical program state or control flow, potentially enabling the "ability to execute arbitrary code". (Cited from: "ability to execute arbitrary code")
  • BR-54: Container Drift Protection (Binaries & Scripts) - If this software ran inside a container, this mechanism applies because if arbitrary code execution is achieved and the attacker attempts to execute new binaries or scripts not present in the original container image, BR-54 would block their execution.
  • BR-62: Linux/Host Drift Protection - This mechanism applies because if arbitrary code execution is achieved and the attacker attempts to execute new binaries or scripts that were not installed via a trusted package manager (i.e., added outside of these managers post-boot), BR-62 would block their execution.
  • BR-55: Reverse Shell Protection - This mechanism applies because if arbitrary code execution allows the attacker to attempt to establish a reverse shell or bind shell by hijacking a native shell interpreter's I/O to a network socket, this mechanism would detect and block such activity.
  • BR-90: Process Exec Deny - This mechanism is applicable because if the attacker, after achieving arbitrary code execution, attempts to execute a process whose name or path suffix (e.g., '/nc', '/wget', '/curl') is on the deny list, BR-90 would block that specific process execution.
  • BR-88: Process Path Exec Allow - This mechanism is applicable because if the attacker, after achieving arbitrary code execution, attempts to execute a payload from a non-allowed filesystem path (e.g., '/tmp' or a user-writable directory not on the allowlist), BR-88 would block it.
  • BR-87: Process Socket Deny - This mechanism is applicable because if the exploited process, now under attacker control via arbitrary code execution, attempts to initiate unauthorized outgoing network connections or listen for incoming ones, and this process is not on the allow list for network access, its socket operations would be denied.
  • BR-81: Kernel CET/Shadow Stack Guard - This mechanism is applicable if the attacker, after achieving arbitrary code execution in user-space via the liblzma vulnerability, attempts to escalate privileges or gain further system control by launching a kernel-level exploit that uses Return-Oriented Programming (ROP). BR-81 protects the Linux kernel (on Intel CPUs) from such ROP attacks.
  • BR-73: Kernel CET/IBT Guard - This mechanism is applicable if the attacker, following user-space ACE, tries to exploit the Linux kernel (on Intel CPUs) using Jump-Oriented Programming (JOP) or other indirect branch manipulation techniques. BR-73 protects against these kernel control-flow attacks.
  • BR-96: Library OS Command Injection Prevention - This mechanism is applicable if the arbitrary code execution achieved within the context of the vulnerable liblzma library subsequently causes the library itself to make direct fork() or exec() system calls (e.g. to run OS commands), and liblzma is not on an allow list for such behavior. BR-96 monitors libraries for these calls and can block them.