{"id":"CVE-2021-37137","details":"The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.","aliases":["GHSA-9vjp-v76f-g363"],"modified":"2026-04-10T04:35:47.237783Z","published":"2021-10-19T15:15:07.757Z","related":["GHSA-9vjp-v76f-g363","SUSE-SU-2022:1271-1","SUSE-SU-2022:3617-1","SUSE-SU-2022:3760-1","SUSE-SU-2022:3793-1","openSUSE-SU-2024:14442-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e%40%3Cdev.tinkerpop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16%40%3Ccommits.druid.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20220210-0012/"},{"type":"ADVISORY","url":"https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2023/dsa-5316"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/netty/netty","events":[{"introduced":"0"},{"fixed":"7d34282f9d2ffdd64c91cb4780b09902d9779b92"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.1.68"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"36f3921e00ed5568b04ab93eda3433fd3b73622f"},{"introduced":"0"},{"fixed":"d0ffa05fe8b8fb258d6c177ff0427dd71d7d5210"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.10.0"},{"introduced":"0"},{"fixed":"2.2.4"}]}}],"versions":["1.10.0.Final","netty-4.0.0.Alpha1","netty-4.0.0.Alpha2","netty-4.0.0.Alpha3","netty-4.0.0.Alpha4","netty-4.0.0.Alpha5","netty-4.0.0.Alpha6","netty-4.0.0.Alpha7","netty-4.0.0.Alpha8","netty-4.0.0.Beta1","netty-4.0.0.Beta2","netty-4.0.0.Beta3","netty-4.0.0.CR1","netty-4.0.0.CR2","netty-4.0.0.CR3","netty-4.0.0.CR4","netty-4.0.0.CR5","netty-4.0.0.CR7","netty-4.0.0.CR8","netty-4.0.0.CR9","netty-4.0.0.Final","netty-4.0.1.Final","netty-4.0.10.Final","netty-4.0.11.Final","netty-4.0.12.Final","netty-4.0.13.Final","netty-4.0.14.Beta1","netty-4.0.14.Final","netty-4.0.15.Final","netty-4.0.2.Final","netty-4.0.3.Final","netty-4.0.4.Final","netty-4.0.5.Final","netty-4.0.6.Final","netty-4.0.7.Final","netty-4.0.8.Final","netty-4.1.0.Beta1","netty-4.1.0.Beta2","netty-4.1.0.Beta3","netty-4.1.0.Beta4","netty-4.1.0.Beta5","netty-4.1.0.Beta6","netty-4.1.0.Beta7","netty-4.1.0.Beta8","netty-4.1.0.CR1","netty-4.1.0.CR2","netty-4.1.0.CR3","netty-4.1.0.CR4","netty-4.1.0.CR5","netty-4.1.0.CR6","netty-4.1.0.CR7","netty-4.1.0.Final","netty-4.1.1.Final","netty-4.1.10.Final","netty-4.1.11.Final","netty-4.1.12.Final","netty-4.1.13.Final","netty-4.1.14.Final","netty-4.1.15.Final","netty-4.1.16.Final","netty-4.1.17.Final","netty-4.1.18.Final","netty-4.1.19.Final","netty-4.1.2.Final","netty-4.1.20.Final","netty-4.1.21.Final","netty-4.1.22.Final","netty-4.1.23.Final","netty-4.1.24.Final","netty-4.1.25.Final","netty-4.1.26.Final","netty-4.1.27.Final","netty-4.1.28.Final","netty-4.1.29.Final","netty-4.1.3.Final","netty-4.1.30.Final","netty-4.1.31.Final","netty-4.1.32.Final","netty-4.1.33.Final","netty-4.1.34.Final","netty-4.1.35.Final","netty-4.1.36.Final","netty-4.1.37.Final","netty-4.1.38.Final","netty-4.1.39.Final","netty-4.1.4.Final","netty-4.1.40.Final","netty-4.1.41.Final","netty-4.1.42.Final","netty-4.1.43.Final","netty-4.1.44.Final","netty-4.1.45.Final","netty-4.1.46.Final","netty-4.1.47.Final","netty-4.1.48.Final","netty-4.1.49.Final","netty-4.1.5.Final","netty-4.1.50.Final","netty-4.1.51.Final","netty-4.1.52.Final","netty-4.1.53.Final","netty-4.1.54.Final","netty-4.1.55.Final","netty-4.1.56.Final","netty-4.1.57.Final","netty-4.1.58.Final","netty-4.1.59.Final","netty-4.1.6.Final","netty-4.1.60.Final","netty-4.1.61.Final","netty-4.1.62.Final","netty-4.1.63.Final","netty-4.1.64.Final","netty-4.1.65.Final","netty-4.1.66.Final","netty-4.1.67.Final","netty-4.1.7.Final","netty-4.1.8.Final","netty-4.1.9.Final"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37137.json","unresolved_ranges":[{"events":[{"introduced":"18.1"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18.2"}]},{"events":[{"introduced":"0"},{"last_affected":"18.3"}]},{"events":[{"introduced":"0"},{"last_affected":"19.1"}]},{"events":[{"introduced":"0"},{"last_affected":"19.2"}]},{"events":[{"introduced":"0"},{"last_affected":"20.1"}]},{"events":[{"introduced":"0"},{"last_affected":"21.1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"fixed":"12.0.0.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0.5.0"}]},{"events":[{"introduced":"8.0.0.0"},{"last_affected":"8.5.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"8.57"}]},{"events":[{"introduced":"0"},{"last_affected":"8.58"}]},{"events":[{"introduced":"0"},{"last_affected":"8.59"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.3.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.1.4.0"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}