CVE-2023-28638

Name of the Vulnerable Software and Affected Versions Snappier version 1.1.0

Description This is a buffer overrun vulnerability that can affect any user of Snappier 1.1.0. The issue arises from the use of byte references rather than pointers to pinned buffers, which can lead to invalid buffer range checks during garbage collector compaction. An attacker would need to trigger a repetitive bulk attack with the hope that a GC compaction occurs at precisely the right moment during one of the requests. However, one of the range checks with this problem is a check based on input data in the decompression buffer, meaning malformed input data could be used to increase the chance of success. The most likely result of an attack is a denial of service.

Recommendations For Snappier version 1.1.0, upgrade to release 1.1.1 to patch the vulnerability. As a temporary workaround for users unable to upgrade, pin buffers to a fixed location before using them for compression or decompression to mitigate some, but not all, of these cases. Note that at least one temporary decompression buffer is internal to the library and never pinned.