{"id":"CVE-2024-36114","summary":"Decompressors can crash the JVM and leak memory content in Aircompressor","details":"Aircompressor is a library with ports of the Snappy, LZO, LZ4, and Zstandard compression algorithms to Java. All decompressor implementations of Aircompressor (LZ4, LZO, Snappy, Zstandard) can crash the JVM for certain input, and in some cases also leak the content of other memory of the Java process (which could contain sensitive information). When decompressing certain data, the decompressors try to access memory outside the bounds of the given byte arrays or byte buffers. Because Aircompressor uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. Users should update to Aircompressor 0.27 or newer where these issues have been fixed. When decompressing data from untrusted users, this can be exploited for a denial-of-service attack by crashing the JVM, or to leak other sensitive information from the Java process. There are no known workarounds for this issue.","aliases":["GHSA-973x-65j7-xcf4"],"modified":"2026-04-12T07:38:42.011117Z","published":"2024-05-29T20:24:53.906Z","related":["CGA-pqhf-8597-rprx"],"database_specific":{"cwe_ids":["CWE-125","CWE-787"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36114.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/36xxx/CVE-2024-36114.json"},{"type":"ADVISORY","url":"https://github.com/airlift/aircompressor/security/advisories/GHSA-973x-65j7-xcf4"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-36114"},{"type":"FIX","url":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"type":"FIX","url":"https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"},{"type":"FIX","url":"https://github.com/airlift/aircompressor/commit/cf66151541edb062ea88b6f3baab3f95e48b7b7f"},{"type":"FIX","url":"https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"15e68df9eb0c2bfde7f796231ee7cd1982965071"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"2cea90a45534f9aacbb77426fb64e975504dee6e"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"cf66151541edb062ea88b6f3baab3f95e48b7b7f"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"d01ecb779375a092d00e224abe7869cdf49ddc3e"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"15e68df9eb0c2bfde7f796231ee7cd1982965071"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"2cea90a45534f9aacbb77426fb64e975504dee6e"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"cf66151541edb062ea88b6f3baab3f95e48b7b7f"}]},{"type":"GIT","repo":"https://github.com/airlift/aircompressor","events":[{"introduced":"0"},{"fixed":"d01ecb779375a092d00e224abe7869cdf49ddc3e"}]}],"versions":["0.1","0.10","0.11","0.12","0.13","0.14","0.15","0.16","0.17","0.18","0.19","0.2","0.20","0.21","0.22","0.23","0.24","0.25","0.26","0.3","0.4","0.5","0.6","0.7","0.8","0.9"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["132995660556643355588195406514514545555","185980565687032647829720888791575198472","329878687554255029320163716235892009068","253076657082074711748986946671205542461","108594064669889561870517831597168010720","197451233115909764185113477960678307338","85264110179668500234731809316710987144","164713591456374830772028542888886293793"]},"id":"CVE-2024-36114-03e5dad2","deprecated":false,"target":{"file":"src/test/java/io/airlift/compress/snappy/TestSnappy.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":208,"function_hash":"247290067877501691045176272047907866283"},"id":"CVE-2024-36114-102a8a89","deprecated":false,"target":{"function":"copyLastLiteral","file":"src/main/java/io/airlift/compress/zstd/ZstdFrameDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["108587633537507210242609878158511307392","225779327234986622183534073738814582869","18358194004045021404252520819025099928","31970545253903883599856317043113094639"]},"id":"CVE-2024-36114-1f9c83bb","deprecated":false,"target":{"file":"src/main/java/io/airlift/compress/snappy/SnappyRawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["20760560763835246913830028384100511902","54378718976028311510159039461860872636","285676281222597721452904067281333628139","38764453462118408473721056286886480643","141033305955454710231303027148253946005","289508930345496015685271860915628372502","180240577623595957684884901618091176456","334176607764920480952943067802274698819","101817177469963026916874475129755794885"]},"id":"CVE-2024-36114-34c774d8","deprecated":false,"target":{"file":"src/test/java/io/airlift/compress/lz4/TestLz4.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":3665,"function_hash":"34485974443664462329086975775160876670"},"id":"CVE-2024-36114-3bfe9eb7","deprecated":false,"target":{"function":"decode4Streams","file":"src/main/java/io/airlift/compress/zstd/Huffman.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["120509392630191464512037198642043025233","306111002906485673198806859872318284096","313081365178277547439173655806931091764"]},"id":"CVE-2024-36114-46cadd09","deprecated":false,"target":{"file":"src/main/java/io/airlift/compress/zstd/Huffman.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":1752,"function_hash":"83354881094540805290494463623002055924"},"id":"CVE-2024-36114-478922d9","deprecated":false,"target":{"function":"decompress","file":"src/main/java/io/airlift/compress/zstd/ZstdFrameDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["85702135579726620732347839985638265126","31338591659225251615112070187799124087","321615269470103858074384522091018570509","162314288210759368860097818333065992287","215473341077072746350975941626497403005","90695187720327948861419839278137461378","138642939100926451813980272326173372582","291287956331741692783707490728242940215"]},"id":"CVE-2024-36114-6551dc73","deprecated":false,"target":{"file":"src/main/java/io/airlift/compress/lz4/Lz4RawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":4457,"function_hash":"245801811663688960592447192997207768762"},"id":"CVE-2024-36114-7ccb134a","deprecated":false,"target":{"function":"decompressSequences","file":"src/main/java/io/airlift/compress/zstd/ZstdFrameDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["242891737099954121092220623145481013436","148549880444348184822867111924278050730","132518070974261941145739165848096062214","179108167536532359369235755084028344272","252725772912945723925173750007313046604","90703127352215718334235552135280040795","113828778848937287186955501473703839484","252854728178686992717401928716683198862"]},"id":"CVE-2024-36114-7ef07953","deprecated":false,"target":{"file":"src/main/java/io/airlift/compress/snappy/SnappyRawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":2991,"function_hash":"305701541836719853892448075042362500181"},"id":"CVE-2024-36114-98c36257","deprecated":false,"target":{"function":"uncompressAll","file":"src/main/java/io/airlift/compress/snappy/SnappyRawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["180563486481843634236797103366494522016","98724990690564095673676471916843060340","312501616096166078178736316145753276489","112137127286037917736166333336754959166","243764110841528206035159695269739053189","102879728934658334749191052420949116615"]},"id":"CVE-2024-36114-a86ed3ed","deprecated":false,"target":{"file":"src/main/java/io/airlift/compress/lzo/LzoRawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":4622,"function_hash":"73106250139262659694387131462698893822"},"id":"CVE-2024-36114-be0261c9","deprecated":false,"target":{"function":"decompress","file":"src/main/java/io/airlift/compress/lzo/LzoRawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["254193197401559541421609728903358941163","234320295159881888837867895477799245387","313956013269983987521642617417497808535","203047479411520133309017250516220133063","278391146116339196952471838720234627746","85867410716842773930796238069587332800","319186977152663046485445501073274519079","323092254299071936828253206072168798707","71445336237410759320899600174906370613","242740403959731729959302053263915543198","248228119491871933554784836364110040214","200532698112113647319169019011529733179"]},"id":"CVE-2024-36114-c2b0e910","deprecated":false,"target":{"file":"src/main/java/io/airlift/compress/zstd/ZstdFrameDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/d01ecb779375a092d00e224abe7869cdf49ddc3e"},{"signature_version":"v1","signature_type":"Function","digest":{"length":3174,"function_hash":"19292144230146607556451302287731946342"},"id":"CVE-2024-36114-ce739a18","deprecated":false,"target":{"function":"decompress","file":"src/main/java/io/airlift/compress/lz4/Lz4RawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Function","digest":{"length":813,"function_hash":"125094864095815175044348094974561823172"},"id":"CVE-2024-36114-d2c91bf0","deprecated":false,"target":{"function":"readUncompressedLength","file":"src/main/java/io/airlift/compress/snappy/SnappyRawDecompressor.java"},"source":"https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["54518180241512266173850954977039642792","29334875470557754035344570166334475045"]},"id":"CVE-2024-36114-d807c883","deprecated":false,"target":{"file":"src/test/java/io/airlift/compress/snappy/TestSnappy.java"},"source":"https://github.com/airlift/aircompressor/commit/2cea90a45534f9aacbb77426fb64e975504dee6e"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["128477088165813120245829812189492233790","179574243175362791345984751938412564059","89868010527818374436293059786718653804","190680209596788203204633428942730108432","27400550776714989205094349321276590494"]},"id":"CVE-2024-36114-e4ddcfca","deprecated":false,"target":{"file":"src/test/java/io/airlift/compress/zstd/TestZstd.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"},{"signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["238210960618048698593385281178593226855","2521997398462991710699584985600929357","96670667263969041814882797167110062710","191841748856084844019638313407232962922","206173243531239294066417482335393437744","255887906346980300638912649363269739428","203602295918991270128872770560624349808","114806778783350610373443403822945886753"]},"id":"CVE-2024-36114-ec416490","deprecated":false,"target":{"file":"src/test/java/io/airlift/compress/lzo/TestLzo.java"},"source":"https://github.com/airlift/aircompressor/commit/15e68df9eb0c2bfde7f796231ee7cd1982965071"}],"vanir_signatures_modified":"2026-04-12T07:38:42Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36114.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"}]}