Use after free in multithreaded lzma (.xz) decoder

In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash (CVE-2025-31115). The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected.

The Haskell xz-clib library vendors and builds the C implementation. The xz package does not use the multithreaded decoder and is therefore unaffected.