CVE-2024-36124

Name of the Vulnerable Software and Affected Versions iq80 Snappy versions prior to 0.5

Description iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. This issue can be exploited for a denial-of-service attack by crashing the JVM when uncompressing data from untrusted users.

Recommendations For versions prior to 0.5, upgrade to version 0.5 as a quick fix. In the long term, consider migrating to the Snappy implementation in https://github.com/airlift/aircompressor (version 0.27 or newer).