Bug 2419500 (CVE-2025-66566) - CVE-2025-66566 lz4-java: lz4-java: Information Disclosure via Insufficient Output Buffer Clearing
Summary: CVE-2025-66566 lz4-java: lz4-java: Information Disclosure via Insufficient Ou...
Keywords:
Status: NEW
Alias: CVE-2025-66566
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-05 19:01 UTC by OSIDB Bzimport
Modified: 2026-02-18 08:28 UTC (History)
78 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:0467 0 None None None 2026-01-12 15:04:39 UTC
Red Hat Product Errata RHSA-2026:0468 0 None None None 2026-01-12 15:22:46 UTC
Red Hat Product Errata RHSA-2026:0726 0 None None None 2026-01-15 19:53:26 UTC
Red Hat Product Errata RHSA-2026:0751 0 None None None 2026-01-19 01:14:16 UTC
Red Hat Product Errata RHSA-2026:0752 0 None None None 2026-01-19 01:14:57 UTC
Red Hat Product Errata RHSA-2026:0761 0 None None None 2026-01-19 03:34:22 UTC
Red Hat Product Errata RHSA-2026:1823 0 None None None 2026-02-03 13:48:53 UTC
Red Hat Product Errata RHSA-2026:1870 0 None None None 2026-02-04 11:32:51 UTC
Red Hat Product Errata RHSA-2026:1871 0 None None None 2026-02-04 05:13:00 UTC
Red Hat Product Errata RHSA-2026:1872 0 None None None 2026-02-04 04:47:29 UTC

Description OSIDB Bzimport 2025-12-05 19:01:19 UTC 
yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.
Comment 4 errata-xmlrpc 2026-01-12 15:04:33 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.10 for Quarkus 3.20

Via RHSA-2026:0467 https://access.redhat.com/errata/RHSA-2026:0467
Comment 5 errata-xmlrpc 2026-01-12 15:22:40 UTC 
This issue has been addressed in the following products:

  Red Hat Build of Apache Camel 4.14 for Quarkus 3.27

Via RHSA-2026:0468 https://access.redhat.com/errata/RHSA-2026:0468
Comment 7 errata-xmlrpc 2026-01-15 19:53:20 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.14.2.P1 for Spring Boot 3.5.9

Via RHSA-2026:0726 https://access.redhat.com/errata/RHSA-2026:0726
Comment 8 errata-xmlrpc 2026-01-19 01:14:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:0751 https://access.redhat.com/errata/RHSA-2026:0751
Comment 9 errata-xmlrpc 2026-01-19 01:14:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:0752 https://access.redhat.com/errata/RHSA-2026:0752
Comment 10 errata-xmlrpc 2026-01-19 03:34:16 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2026:0761 https://access.redhat.com/errata/RHSA-2026:0761
Comment 12 errata-xmlrpc 2026-02-03 13:48:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1823 https://access.redhat.com/errata/RHSA-2026:1823
Comment 13 errata-xmlrpc 2026-02-04 04:47:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1

Via RHSA-2026:1872 https://access.redhat.com/errata/RHSA-2026:1872
Comment 14 errata-xmlrpc 2026-02-04 05:12:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9

Via RHSA-2026:1871 https://access.redhat.com/errata/RHSA-2026:1871
Comment 15 errata-xmlrpc 2026-02-04 11:32:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8

Via RHSA-2026:1870 https://access.redhat.com/errata/RHSA-2026:1870
Note You need to log in before you can comment on or make changes to this bug.