Aircompressor Vulnerability Could Lead to Memory Corruption and Denial of Service Attacks
CVE-2024-36114

8.6HIGH

Key Information:

Vendor

Airlift

Status
Aircompressor
Vendor
CVE Published:
29 May 2024

What is CVE-2024-36114?

The Aircompressor library, which ports multiple compression algorithms to Java, has vulnerabilities in all its decompressor implementations (LZ4, LZO, Snappy, Zstandard). These vulnerabilities arise when the decompressor attempts to access memory outside the allocated byte arrays or byte buffers. By leveraging the unsafe memory access provided by the JDK class sun.misc.Unsafe, the library lacks sufficient bounds checks. This can result in unpredictable behavior, including JVM crashes, and may expose sensitive data residing in the memory of the Java process. Users are encouraged to upgrade to Aircompressor version 0.27 or later to mitigate these risks, especially when handling data from untrusted sources.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

aircompressor < 0.27

References

https://github.com/airlift/aircompressor/security/advisor...
x_refsource_CONFIRM
https://github.com/airlift/aircompressor/commit/15e68df9e...
x_refsource_MISC
https://github.com/airlift/aircompressor/commit/2cea90a45...
x_refsource_MISC

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.