xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.
golang-github-ulikunitz-xz Debian
registry.redhat.io/multicluster-engine/assisted Red Hat / RHEL
Fixed in: installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64 RHSA-2026:26254 Fixed in: installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x RHSA-2026:26254 Fixed in: installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le RHSA-2026:26254 Fixed in: installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64 RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted Rocky
Fixed in: installer-rhel9@sha256:a382b267318a49d9dc29d704afb41f188edc15021d267d402203fcd10722dd5f_arm64 RHSA-2026:26254 Fixed in: installer-rhel9@sha256:d301ef6d274f4127b4eaf7ae78d2dd8af51aeebf999dd8624d20cbf0ba05864b_amd64 RHSA-2026:26254 Fixed in: installer-rhel9@sha256:458a6eaf23dc717f6988c94556bbbc224dcd2bbaa7573aed6fa820086f9523fe_s390x RHSA-2026:26254 Fixed in: installer-rhel9@sha256:ba3b4da8d399b387de1047cd7952224d0032c3748d12928a9b7eda776df8a38a_ppc64le RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted-image Red Hat / RHEL
Fixed in: service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le RHSA-2026:26254 Fixed in: service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64 RHSA-2026:26254 Fixed in: service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x RHSA-2026:26254 Fixed in: service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64 RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted-image Rocky
Fixed in: service-rhel9@sha256:5afcb0cd2a9c693cec0839deed6435c69abb50a4a50e5e55a69d3f553806bbd1_arm64 RHSA-2026:26254 Fixed in: service-rhel9@sha256:e9e0e699e9e9acf9645f1e38f71d08ba1711066c16d10f1b6475439c7661dcae_s390x RHSA-2026:26254 Fixed in: service-rhel9@sha256:bc2f8ee10452ea3e4841fb5c9acffbb820c53b329527c8580afccedb2a4bf37e_ppc64le RHSA-2026:26254 Fixed in: service-rhel9@sha256:6c5c5c4686bfc5cc9bbef1fcd990ee72af1080796cb0849ad006b6673a05859b_amd64 RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted-installer Rocky
Fixed in: controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64 RHSA-2026:26254 Fixed in: agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le RHSA-2026:26254 Fixed in: controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le RHSA-2026:26254 Fixed in: agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64 RHSA-2026:26254 Fixed in: agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64 RHSA-2026:26254 Fixed in: controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64 RHSA-2026:26254 Fixed in: agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x RHSA-2026:26254 Fixed in: controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted-installer Red Hat / RHEL
Fixed in: agent-rhel9@sha256:8bf11dabddf6d4784f1c397d300d953ffd762ef3db8b823971577fbef032a15b_ppc64le RHSA-2026:26254 Fixed in: controller-rhel9@sha256:dfcd7d76bfa892b6be2c2abd99f13bd7e58d2ca82ea99bf2443cec9b888fd918_ppc64le RHSA-2026:26254 Fixed in: agent-rhel9@sha256:d040d471b0b65a4be2d71e519cdf05d9040865a0889960335709d7f10b504e59_amd64 RHSA-2026:26254 Fixed in: controller-rhel9@sha256:1aef2fa08a49510813e8cc149cc737c09570c4c94d4441e846d0abdbd97b434f_amd64 RHSA-2026:26254 Fixed in: agent-rhel9@sha256:c34bb03b1038bbed1e6f47c2105703ae2214c772467ac2cea733cf6b2bd5572f_arm64 RHSA-2026:26254 Fixed in: controller-rhel9@sha256:f3379b9e6c08cd00abcf7be97308b7ff2354697407a026d5f08e942b47ca7e08_arm64 RHSA-2026:26254 Fixed in: agent-rhel9@sha256:2b436e18e98a63c98ccd5aa4e5315a4e8d7f9c6f0d1ba7ce36cf1f445ba6b213_s390x RHSA-2026:26254 Fixed in: controller-rhel9@sha256:b94a3f3ad45af3d4dd10498d5e6906947c72adc1361e50bda9482ba954e6567b_s390x RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted-service Rocky
Fixed in: 8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x RHSA-2026:26257 Fixed in: 8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le RHSA-2026:26257 Fixed in: 9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64 RHSA-2026:26254 Fixed in: 8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64 RHSA-2026:26257 Fixed in: 8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64 RHSA-2026:26257 Fixed in: 9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x RHSA-2026:26254 Fixed in: 9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64 RHSA-2026:26254 Fixed in: 9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le RHSA-2026:26254 registry.redhat.io/multicluster-engine/assisted-service Red Hat / RHEL
Fixed in: 8-rhel8@sha256:2c6a0275687920af7a4852828689429b54fc89f5f6d457fc5b00e6300bef47ff_ppc64le RHSA-2026:26257 Fixed in: 8-rhel8@sha256:96d38a23205177fb651c7eac72711143cdbc847d29d26d60e1b364e3dd969f25_amd64 RHSA-2026:26257 Fixed in: 9-rhel9@sha256:bd04b7cfba87314171b1ce6113b0cc37b386a4bf30ae2f9020011ce002c6e933_arm64 RHSA-2026:26254 Fixed in: 8-rhel8@sha256:aa1b61f73bdfc1b60d1fa100e2b060eca0ef578c69a681f7603b49d81fc273ce_arm64 RHSA-2026:26257 Fixed in: 9-rhel9@sha256:a11d75aec4913b0643f7e74d4138c9cfa19b6ab4c6280519948de935873b4570_s390x RHSA-2026:26254 Fixed in: 9-rhel9@sha256:228e5cefc1e32500a2b244ebeaa4b700efed644c5e266a6b3d139e23a6d1113d_amd64 RHSA-2026:26254 Fixed in: 9-rhel9@sha256:2b9e8ab86b77035917aaa673ecc311a0fe0be0687c65a3e000b9e3dfe3e02bb7_ppc64le RHSA-2026:26254 Fixed in: 8-rhel8@sha256:78857cf0c460c7639b30bcee92cff7e5e2c8d0423e42522267c4d9ace96ad1b9_s390x RHSA-2026:26257 Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.
Exploitability
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Impact
Confidentiality None
Integrity None
Availability Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
0.39% probability of exploitation in 30 days
30th percentile
Low risk: more likely to be exploited than 30% of all known CVEs.
Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities, ordered by exploit likelihood. View all
Embed a live status badge for CVE-2025-58058 Markdown
[](https://tridentstack.com/cve/CVE-2025-58058)HTML
<a href="https://tridentstack.com/cve/CVE-2025-58058"><img src="https://tridentstack.com/cve/badge/CVE-2025-58058.svg" alt="CVE-2025-58058"></a>Find and fix vulnerabilities across your fleet TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.
Start free This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2025-08-29.