CVE-2022-26291: 
Linux Debian vulnerability analysis and mitigation

CVE-2022-26291 affects lrzip version 0.641, involving a multiple concurrency use-after-free vulnerability between the functions zpaq_decompress_buf() and clear_rulist(). The vulnerability was discovered in early 2022 and publicly disclosed on March 28, 2022. This security flaw affects the lrzip compression software and its implementations across various Linux distributions (NVD, Debian Security).

The vulnerability is characterized by a multiple concurrency use-after-free condition that occurs between the zpaq_decompress_buf() and clear_rulist() functions. The issue arises when both threads operate on a shared variable ucthread, where one thread deallocates the ucthread while another thread attempts to use it. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (GitHub Issue).

When exploited, this vulnerability allows attackers to cause a Denial of Service (DoS) through a specially crafted lrz file. The impact is primarily focused on system availability, with no direct impact on confidentiality or integrity (Debian LTS).

The vulnerability has been patched in various Linux distributions. Debian has released fixes in version 0.631-1+deb9u2 for Debian 9 (Stretch), version 0.631+git180528-1+deb10u1 for Debian 10 (Buster), and version 0.641-1+deb11u1 for Debian 11 (Bullseye). Users are strongly recommended to upgrade their lrzip packages to these patched versions (Debian Security, Debian LTS).