Bug 2417718 (CVE-2025-12183)

Summary: CVE-2025-12183 lz4-java: lz4-java: Out-of-bounds memory operations lead to denial of service and information disclosure
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abrianik, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, ccranfor, chfoley, clement.escoffier, cmah, csutherl, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drosa, dsoumis, eaguilar, ebaron, eric.wittmann, fjuma, fmariani, fmongiar, ggrzybek, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jcantril, jclere, jmartisk, jnethert, jolong, jpechane, jrokos, kverlaen, lthon, manderse, mnovotny, mosmerov, msvehla, nipatil, nwallace, olubyans, pantinor, parichar, pberan, pdelbell, pesilva, pgallagh, pjindal, plodge, pmackay, probinso, rguimara, rkubis, rmaucher, rojacob, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, smaestri, swoodman, szappis, tasato, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in lz4-java. This vulnerability allows remote attackers to cause denial of service (DoS) and read adjacent memory via untrusted compressed input. This vulnerability affects only programs using the unsafe LZ4_decompress_fast API, known as the "fast" decompressor.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-11-28 16:01:06 UTC 
Out-of-bounds memory operations in org.lz4:lz4-java 1.8.0 and earlier allow remote attackers to cause denial of service and read adjacent memory via untrusted compressed input.
Comment 4 errata-xmlrpc 2026-02-04 04:47:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1

Via RHSA-2026:1872 https://access.redhat.com/errata/RHSA-2026:1872
Comment 5 errata-xmlrpc 2026-02-04 05:12:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9

Via RHSA-2026:1871 https://access.redhat.com/errata/RHSA-2026:1871
Comment 6 errata-xmlrpc 2026-02-04 11:32:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2026:1870 https://access.redhat.com/errata/RHSA-2026:1870