There is a CVE which considers high risk for air compressor https://nvd.nist.gov/vuln/detail/CVE-2025-67721
And the fix version is 3.4. I downloaded the 3.4 jar from maven central and checked its byte code version, the result is public interface io.airlift.compress.v3.Compressor minor version: 0 major version: 66 Which indicates that it requires at least JDK22 to run. Since we still need to support JDK8 on 2.x, I propose we just remove the air compression support in HBase, as for most cases, we could use the native snappy or zstd compression. Thoughts? Thanks.
