Security Bulletin: Vulnerability affect underscore-umd-min, werkzeug-3.1.5, flask-3.1.1, cryptography, aircompressor, pyasn1, http, log4j, apache2-build, commons-configuration, bcpkix-jdk18on, server-MariaDB, Jline, IBM COS Systems (April 2026)

Summary Vulnerability with underscore-umd-min CVE-2026-27601, werkzeug-3.1.5 CVE-2026-27199, flask-3.1.1-py3-nCVE-2026-27205, cryptographyCVE-2026-26007, aircompressorCVE-2025-67721, pyasn1CVE-2026-23490, http, log4jCVE-2025-68161, apache2-buildCVE-2025-55753, commons-configurationCVE-2024-29131,...

CLEANSTART-2026-HQ78610 Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java

Multiple security vulnerabilities affect the trino package. Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. See references for individual vulnerability details...

Security Bulletin: vulnerability addressed in IBM Big Replicate LiveData Migrator 3.4

Summary The libraries affected include Aircompressor. Dependency packages are being used by IBM Big Replicate LiveData Migrator. This bulletin describes the upgrades necessary to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-36114 DESCRIPTION: Aircompressor is a library with...

Information Disclosure

Aircompressor is vulnerable to Information Disclosure. The vulnerability is due to improper handling of malformed Snappy and LZ4 compressed input in the Java decompressor implementations, which allows a remote attacker to craft input that causes previously used buffer contents to be included in t...

CVE-2025-67721

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

CVE-2025-67721

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the decompression process when the output buffer is reused without being cleared. An attacker can access sensitive information from previous buffer contents by providing crafted...

ai.catboost:catboost-spark_4.0_2.13 (=1.2.10), ai.catboost:catboost-spark_4.1_2.13 (=1.2.10) +509 more potentially affected by CVE-2025-67721 via io.airlift:aircompressor (=2.0.2)

io.airlift:aircompressor MAVEN version =2.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on io.airlift:aircompressor and may be impacted: - ai.catboost:catboost-spark4.02.13 =1.2.10 - ai.catboost:catboost-spark4.12.13 =1.2.10 - ai.h2o:h2o-orc-parser...

Insertion of Sensitive Information Into Sent Data

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the decompression process when the output buffer is reused without being cleared. An attacker can access sensitive information from previous buffer contents by providing crafted...

io.github.jordepic:dataharness-trino (>=1.0 <=2.0), io.trino.gateway:gateway-ha (>=14 <=16) +19 more potentially affected by CVE-2025-67721 via io.airlift:aircompressor-v3 (>=3.0 <=3.3)

io.airlift:aircompressor-v3 MAVEN version =3.0, =1.0, =14, =466, =457, =464, =457, =457, =457, =457, =457, =457, =457, =457, =469, =472, =475 and more Source cves: CVE-2025-67721 Source advisory: SNYK:JAVA-IOAIRLIFT-14412704...

io.github.jordepic:dataharness-trino (>=1.0 <=2.0), io.trino.gateway:gateway-ha (>=14 <=16) +19 more potentially affected by CVE-2025-67721 via io.airlift:aircompressor-v3 (>=3.0 <=3.3)

io.airlift:aircompressor-v3 MAVEN version =3.0, =1.0, =14, =466, =457, =464, =457, =457, =457, =457, =457, =457, =457, =457, =469, =472, =475 and more Source cves: CVE-2025-67721 Source advisory: OSV:GHSA-VX9Q-RHV9-3JVG...

ai.catboost:catboost-spark_2.11 (>=0.25-rc1 <=0.25-rc3), ai.catboost:catboost-spark_2.12 (>=0.25-rc1 <=0.25-rc3) +5330 more potentially affected by CVE-2025-67721 via io.airlift:aircompressor (>=0.10 <=2.0.2)

io.airlift:aircompressor MAVEN version =0.10, =0.25-rc1, =0.25-rc1, =0.25, =0.25, =0.25, =0.25, =1.0.1, =1.0.6, =1.0.6, =1.1, =1.1.1, =1.2, =1.2, =1.2.3, =1.2.3, =1.2.10 and more Source cves: CVE-2025-67721 Source advisory: OSV:GHSA-VX9Q-RHV9-3JVG...

GHSA-VX9Q-RHV9-3JVG aircompressor Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer

Summary Incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of...

CVE-2025-67721 Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

CVE-2025-67721

CVE-2025-67721 affects the Aircompressor library (Java ports of Snappy, LZO, LZ4, Zstandard). Red Hat’s entry confirms that in versions ≤3.3, malformed data handling in Java-based decompressors for Snappy and LZ4 can cause leakage of previously uncompressed data when buffers are reused, enabling ...

CVE-2025-67721 Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

CVE-2025-67721 Aircompressor's Snappy and LZ4 Java-based decompressor implementation can leak information from reused output buffer

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

EUVD-2025-203174

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

PT-2025-51030

Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. In versions 3.3 and below, incorrect handling of malformed data in Java-based decompressor implementations for Snappy and LZ4 allow remote attackers to read previous buffer contents via...

Aircompressor 安全漏洞

Aircompressor is an airlift open source library that ports the Snappy, LZO, LZ4 and Zstandard compression algorithms to Java. Aircompressor 3.3 and earlier versions contain a security vulnerability that stems from improper handling of malformed data by the Snappy and LZ4 decompressors, which coul...