Out-of-bounds read in lz4-java - #VU137032
Published: July 7, 2026
lz4-java
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information and cause a denial of service.
The vulnerability exists due to out-of-bounds read in streaming JNI-based XXHash implementations when processing an oversized length for a byte array. A remote user can pass a crafted length value to native XXHash update methods to disclose sensitive information and cause a denial of service.
The issue affects the streaming native XXHash update APIs. The non-streaming oversized-length hash case was already rejected in Java.