216.73.217.22

CVE-2026-22184

· Published 07/01/2026 21:16 · Modified 08/01/2026 18:08

Labels: CVE-2026-22184 2026-01-07CVE-2026-22184CWE-120[email protected]

Essential information

Published
07/01/2026 21:16
Modified
08/01/2026 18:08
Author
Creator
CVSS
9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
zhengzhang / zlib cpe:2.3:a:zhengzhang:zlib:<=1.3.1.2:*:*:*:*:*:*:*

References