CVEs-PoC/2021/CVE-2021-29482.md

### [CVE-2021-29482](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29482)
![](https://img.shields.io/static/v1?label=Product&message=xz&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=%7B%22CWE-835%22%3A%22Loop%20with%20Unreachable%20Exit%20Condition%20('Infinite%20Loop')%22%7D&color=brighgreen)

### Description

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/k1LoW/oshka
- https://github.com/naveensrinivasan/stunning-tribble