LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 , affecting applications that call LZ4_compress_fast with a large input. NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk."