rustsec · djc · Mar 17, 2026 · Mar 17, 2026
diff --git a/crates/lz4_flex/RUSTSEC-2026-0041.md b/crates/lz4_flex/RUSTSEC-2026-0041.md
@@ -11,6 +11,10 @@ cvss = "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
 [affected.functions]
 "lz4_flex::block::decompress_into" = ["<= 0.11.5", "= 0.12.0"]
 "lz4_flex::block::decompress_into_with_dict" = ["<= 0.11.5", "= 0.12.0"]
+"lz4_flex::block::decompress" = ["<= 0.11.5", "= 0.12.0"]
+"lz4_flex::block::decompress_with_dict" = ["<= 0.11.5", "= 0.12.0"]
+"lz4_flex::block::decompress_size_prepended" = ["<= 0.11.5", "= 0.12.0"]
+"lz4_flex::block::decompress_size_prepended_with_dict" = ["<= 0.11.5", "= 0.12.0"]
 
 [versions]
 patched = [">= 0.11.6, < 0.12.0", ">= 0.12.1"]
@@ -33,8 +37,7 @@ Two scenarios are affected:
 - Decompressing into a reused, user-supplied output buffer (also affects `safe-decode`): can
   leak the previous contents of the output buffer as part of the decompressed result.
 
-Only the block-based API is affected: `lz4_flex::block::decompress_into` and
-`lz4_flex::block::decompress_into_with_dict`. All frame APIs are unaffected.
+Only the block-based APIs are affected. All frame APIs are unaffected.
 
 The flaw was corrected in versions 0.11.6 and 0.12.1 by properly validating offset values
 during decompression.