Bug 2290551 (CVE-2024-36124) - CVE-2024-36124 snappy: tries to read outside the bounds of the given byte arrays
Summary: CVE-2024-36124 snappy: tries to read outside the bounds of the given byte arrays
Keywords:
Status: NEW
Alias: CVE-2024-36124
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2290550
TreeView+ depends on / blocked
 
Reported: 2024-06-05 13:23 UTC by Rohit Keshri
Modified: 2025-11-11 08:27 UTC (History)
127 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2024-06-05 13:23:04 UTC 
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5.

https://github.com/dain/snappy/security/advisories/GHSA-8wh2-6qhj-h7j9
Note You need to log in before you can comment on or make changes to this bug.