A technical writeup detailed how a flaw in andyherbert’s lz1/lz77 decompression routine can be exploited to achieve remote code execution by supplying crafted compressed data. The bug arises because the decompressor limits coding_pos using uncompressed_size, but an inner copy loop continues incrementing coding_pos without enforcing the same boundary, allowing writes past the end of uncompressed_text. The first four bytes of attacker-controlled input determine uncompressed_size, and pointer metadata such as length can then be abused to trigger an out-of-bounds write.
The demonstrated exploitation path replaced heap allocation with stack allocation using alloca, turning the overflow into a stack-based attack capable of overwriting adjacent variables, saved frame data, and the return address. In a statically compiled, non-PIE amd64 binary, the exploit used a ROP chain to call _dl_make_stacks_executable, pivoted execution with a jmp rsp gadget, and ran shellcode that opened a reverse shell. The author noted that earlier fuzzing with afl-fuzz had already uncovered crashing inputs tied to the vulnerable logic.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
STAR Labs published a technical writeup showing how a buffer overflow in andyherbert's lz1/lz77 decompression routine can be exploited for code execution using crafted compressed input. The article details a stack-based exploitation approach with ROP and shellcode against a statically compiled, non-PIE amd64 binary.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.