VDB

CVE-2026-0528

CVE-2026-0528 PUBLISHED CVSS 6.5 MEDIUM

yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1.

EPSS 0.11% · 28.5th percentile

Risk Scores

CVSS 3.1
6.5
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score
0.11%
28.5th percentile

Affected Products

VendorProductVersions
elastickibana8.0.0, 9.0.0, 9.2.0
yawkatlz4-java< 1.10.1
github.comelastic/beats/v79.0.0, 0, 8.0.0
ElasticMetricbeat9.0.0, 9.2.0, 8.0.0

Exploit Intelligence

…and 10 more exploits

Timeline

  • Dec 5, 2025 PoC Published
  • Dec 5, 2025 PoC Published
  • Dec 6, 2025 PoC Published
  • Dec 8, 2025 PoC Published
  • Jan 13, 2026 CVE Published
  • Jan 13, 2026 PoC Published
  • Jan 14, 2026 EPSS Score
  • Jan 14, 2026 PoC Published
  • Jan 14, 2026 PoC Published
  • Jan 17, 2026 EPSS Score
  • Jan 20, 2026 EPSS Score
  • Jan 21, 2026 PoC Published

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›