CVE-2024-36124
Published: 3 June 2024
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5.
Notes
Author | Note |
---|---|
mdeslaur |
This CVE is for iq80 snappy, which is neither the snappy or the snappy-java package in Ubuntu. |