iq80 Snappy has an out-of-bounds read when uncompressing data, leading to JVM crash
Description
Snappy decompression library reads out-of-bounds when processing crafted data, risking JVM crash via Unsafe memory access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Snappy decompression library reads out-of-bounds when processing crafted data, risking JVM crash via Unsafe memory access.
Vulnerability
CVE-2024-36124 is an out-of-bounds read vulnerability in the iq80 Snappy compression/decompression library for Java. When decompressing specially crafted data, the library attempts to read memory outside the bounds of the provided byte arrays [1]. Because the library uses sun.misc.Unsafe for performance, standard bounds checks are bypassed, making this equivalent to a memory safety issue in native code [3].
Exploitation
An attacker can exploit the vulnerability by supplying maliciously compressed data to an application that uses iq80 Snappy for decompression. No authentication is required — the attack surface is any endpoint that accepts untrusted compressed data (e.g., file upload, network stream) [3]. The use of sun.misc.Unsafe means the out-of-bounds access occurs without any additional validation, leading directly to undefined behavior [1].
Impact
Successful exploitation results in a denial-of-service condition: the JVM may crash or exhibit non-deterministic behavior [1][3]. In theory, improper memory access could also lead to information disclosure or other impacts, though the advisory focuses on DoS [3].
Mitigation
The iq80 Snappy project is no longer actively maintained [1]. Users should upgrade to version 0.5 as a quick fix [3]. For a long-term solution, the recommended migration is to the Snappy implementation in aircompressor (version 0.27 or newer) [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.iq80.snappy:snappyMaven | < 0.5 | 0.5 |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/apache-nifipkg:apk/chainguard/apache-nifi-compatpkg:apk/chainguard/apache-nifi-toolkitpkg:apk/wolfi/apache-nifipkg:apk/wolfi/apache-nifi-compatpkg:apk/wolfi/apache-nifi-toolkitpkg:maven/org.iq80.snappy/snappy
< 2.0.0-r0+ 6 more
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 2.0.0-r0
- (no CPE)range: < 0.5
- dain/snappyv5Range: < 0.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8wh2-6qhj-h7j9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-36124ghsaADVISORY
- github.com/dain/snappy/security/advisories/GHSA-8wh2-6qhj-h7j9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.