CVE-2026-42250

Description

bzip2 contains an off‑by‑one error in the bzip2recover utility. When processing a specially crafted file, the application performs an out‑of‑bounds write to a global buffer, resulting in memory corruption and a crash (denial of service). This issue was fixed in bzip2 patch 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

Passive

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

Low

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

bzip2 / bzip20 – 1.0.8
bzip2 / bzip235d122a3df8b0cc4082a4d89fdc6ee99f375fe67 – 35d122a3df8b0cc4082a4d89fdc6ee99f375fe67

References

MISChttps://cert.pl/en/posts/2026/05/CVE-2026-42250/
MISChttps://sourceware.org/bzip2/
MISChttps://inbox.sourceware.org/bzip2-devel/20260528145407.293768-1-mark@klomp.org/
MISChttps://sourceware.org/cgit/bzip2/commit/?id=35d122a3df8b0cc4082a4d89fdc6ee99f375fe67