Ptaoussanis

**Name of the Vulnerable Software and Affected Versions** Aircompressor versions prior to 0.27 **Description** The issue concerns the decompressor implementations of Aircompressor, including LZ4, LZO, Snappy, and Zstandard. These decompressors can crash the JVM for certain input and, in some cases, leak the content of other memory of the Java process, which could contain sensitive information. This occurs because the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers, and Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access without performing additional bounds checks. As a result, this can lead to non-deterministic behavior or crash the JVM. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM or to leak other sensitive information from the Java process. **Recommendations** Update to Aircompressor 0.27 or newer where these issues have been fixed. As a temporary workaround, consider avoiding the decompression of data from untrusted users to minimize the risk of exploitation. Restrict access to sensitive information within the Java process to reduce the potential impact of a leak.