JLSEC-2026-121

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the...

JLSEC Published: Apr 15, 2026
Modified: Apr 15, 2026
Affected Packages: Zstd_jll < 1.5.0+0
Aliases / Upstream: GHSA-ffqj-7pgc-cmj5 CVE-2021-24032 EUVD-2021-10952

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
https://github.com/facebook/zstd/issues/2491
https://www.facebook.com/security/advisories/cve-2021-24032
https://nvd.nist.gov/vuln/detail/CVE-2021-24032
https://github.com/advisories/GHSA-ffqj-7pgc-cmj5