{
  "threat_severity" : "Moderate",
  "public_date" : "2019-07-17T00:00:00Z",
  "bugzilla" : {
    "description" : "lz4: heap-based buffer overflow in LZ4_write32",
    "id" : "1765316",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1765316"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states \"only a few specific / uncommon usages of the API are at risk.\"" ],
  "statement" : "According to upstream, this flaw cannot be exploited under normal, documented use of the LZ4 library API. Additionally, the flaw is present only in the LZ4 library itself, and the application binaries shipped with this package are not affected. \nRed Hat OpenStack Platform 10 includes an older version of LZ4 that contains the flawed code. However, OpenStack has been using RHEL's updated LZ4 version since RHEL 7.5, so Red Hat is not issuing an update for the OpenStack LZ4 package. This CVE is rated as moderate because Red Hat products do not use the vulnerable version of lz4 in current OpenStack offerings.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-07-15T00:00:00Z",
    "advisory" : "RHSA-2025:11035",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "lz4-0:1.8.3-5.el8_10"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "lz4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "lz4",
    "cpe" : "cpe:/a:redhat:openstack:10"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17543\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17543" ],
  "name" : "CVE-2019-17543",
  "csaw" : false
}