CVE-2024-36124 MEDIUM

CVE-2024-36124: iq80 Snappy has an out-of-bounds read when uncompressing data, leading to JVM crash

Vendor Dain
Product snappy
Weakness CWE-125
Published June 3, 2024
Last update September 5, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5.

Key dates

02Disclosure timeline

June 3, 2024 CVE published
September 5, 2024 Record updated