CVE-2024-36124

2024-06-0513:33:13

redhat.com

access.redhat.com

iq80 snappy

compression library

out-of-bounds access

non-deterministic behavior

jvm crash

security consequences

jdk class

unsafe

memory access

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.1%

JSON

A flaw was found in the iq80 Snappy compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class sun.misc.Unsafe to speed up memory access, no additional bounds checks are performed, and this has similar security consequences as out-of-bounds access in C or C++. This issue can lead to non-deterministic behavior or crash the JVM.

Mitigation

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.