CVE-2025-66566

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions yawkat LZ4 Java versions 1.10.0 and earlier

Description yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.

Recommendations Update to version 1.10.1 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-201

Related Identifiers

ALSA-2026:0752

CLEANSTART-2026-AO61361

CVE-2025-66566

ECHO-A02E-E8DE-2B03

GHSA-CMP6-M4WJ-Q63Q

RHSA-2026:0751

RHSA-2026:0752

RHSA-2026:1823

RHSA-2026:1870

RHSA-2026:1871

Affected Products

Debian

Rocky Linux

Yawkat Lz4 Java

CVE-2025-66566

Weakness Enumeration

Related Identifiers

Affected Products

References · 60