MEDIUM
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html
Source: MITRE
Published: 2018-04-08
Updated: 2018-09-28
Type: CWE-399
Base Score: 4.3
Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Impact Score: 3.6
Exploitability Score: 2.8
Severity: MEDIUM