Elasticsearch 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-07)

ismisepaul · January 13, 2026, 8:55pm

Elasticsearch yawkat LZ4 Java - CVE-2025-66566 (ESA-2026-07)

An Information Disclosure vulnerability (CVE-2025-66566) exists in the yawkat LZ4 Java library used by Elasticsearch that allows an attacker to read previous buffer contents through specially crafted compressed input sent via the transport layer.

Affected Versions:

7.x: All versions from 7.14.0 up to and including 7.17.29
8.x: All versions from 8.0.0 up to and including 8.19.9
9.x:
- All versions from 9.0.0 up to and including 9.1.9
- All versions from 9.2.0 up to and including 9.2.3

Solutions and Mitigations:

Users should upgrade to version 8.19.10, 9.1.10, 9.2.4.

For Users that Cannot Upgrade:

Self-hosted

For users who cannot upgrade immediately, the following workarounds can be applied to elasticsearch.yml. Note that these changes require a node restart to take effect.

Switch to Deflate: The LZ4 Java decompressor can be bypassed by switching the transport compression scheme to deflate: transport.compression_scheme: deflate
Disable Compression: Compression can be disabled entirely, though this will result in increased network bandwidth usage: transport.compress: false
Cross-Cluster Settings: If utilizing cross-cluster search or replication, apply the mitigation to remote connections: cluster.remote.<cluster_alias>.transport.compression_scheme: deflate

Cloud

For users on Elastic Cloud who cannot upgrade immediately:

Configuration: The transport.compression_scheme setting can be configured by users in the Cloud Console for versions 7.17.0 and later. Users can switch the scheme to deflate or disable compression via the user settings block.
Remote Clusters: While users cannot configure cluster.remote.<cluster_alias>.transport.compression_scheme directly in the Cloud UI, remote cluster connections will automatically inherit the global transport.compression_scheme setting.

Elastic Cloud Serverless

Due to our continuous deployment and patching model, the vulnerability described in this security advisory was remediated in our Elastic Cloud Serverless offering before the public disclosure.

Severity: CVSSv3.1: High (8.4) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVE ID: CVE-2025-66566

Topic		Replies	Views
Elasticsearch 5.6.6 security vulnerability log4j Elasticsearch	1	486	January 11, 2022
Bitbucket and Elastic security question! Elasticsearch	4	1089	March 11, 2022
151209 (4) - OpenJDK 7 <= 7u281 / 8 <= 8u272 / 11.0.0 <= 11.0.9 / 13.0.0 <= 13.0.5 / 15.0.0 <= 15.0.1 Vulnerability (2021-01-19) Elasticsearch	8	936	February 17, 2023
Vulnerability CVE-2020-13956 reported on Elasticsearch 7.17.4 Elasticsearch	5	393	July 18, 2022
ELK upgrade to 7.17.10 Elasticsearch	3	219	July 19, 2023

Elasticsearch 8.19.10, 9.1.10, 9.2.4 Security Update (ESA-2026-07)

Related topics