CVE-2024-36114

Name of the Vulnerable Software and Affected Versions Aircompressor versions prior to 0.27

Description The issue concerns the decompressor implementations of Aircompressor, including LZ4, LZO, Snappy, and Zstandard. These decompressors can crash the JVM for certain input and, in some cases, leak the content of other memory of the Java process, which could contain sensitive information. This occurs because the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers, and Aircompressor uses the JDK class sun.misc.Unsafe to speed up memory access without performing additional bounds checks. As a result, this can lead to non-deterministic behavior or crash the JVM. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM or to leak other sensitive information from the Java process.

Recommendations Update to Aircompressor 0.27 or newer where these issues have been fixed. As a temporary workaround, consider avoiding the decompression of data from untrusted users to minimize the risk of exploitation. Restrict access to sensitive information within the Java process to reduce the potential impact of a leak.