CVE-2021-3520: 
MySQL vulnerability analysis and mitigation

There's a flaw in lz4 (CVE-2021-3520) discovered in April 2021. An attacker who submits a crafted file to an application linked with lz4 may be able to trigger an integer overflow, leading to calling of memmove() on a negative size argument, causing an out-of-bounds write and/or a crash. The vulnerability affects lz4 version 1.8.3 and versions up to (excluding) 1.9.4 (Red Hat Bugzilla).

In the LZ4decompressgeneric() routine, outputSize is retrieved from the lz4 file as an integer. A code path allows outputSize to influence the value of 'length' via 'oend' in the call to memmove(op, ip, length). A crafted file can cause outputSize to be a negative value, and since length is interpreted by memmove() as a size_t, it can be an extremely large, out-of-bounds value. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability has significant impact on system security. The greatest impact is to availability, with some potential impact to confidentiality and integrity as well. A successful exploit could lead to out-of-bounds write operations, system crashes, and potential code execution (Red Hat Bugzilla).

The vulnerability has been fixed in lz4 version 1.9.4. The upstream patch checks to ensure that outputSize is not less than 0 at the beginning of the LZ4decompressgeneric() routine. Organizations should upgrade to the fixed version. Multiple vendors have released patches for their affected products, including Red Hat, Oracle, and NetApp (Red Hat Bugzilla, NetApp Advisory).