Dain

**Name of the Vulnerable Software and Affected Versions** iq80 Snappy versions prior to 0.5 **Description** iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. This issue can be exploited for a denial-of-service attack by crashing the JVM when uncompressing data from untrusted users. **Recommendations** For versions prior to 0.5, upgrade to version 0.5 as a quick fix. In the long term, consider migrating to the Snappy implementation in https://github.com/airlift/aircompressor (version 0.27 or newer).