CVE-2018-25032 - Vulnerability Details

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0009.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Apple	Mac Os X Macos
Azul	Zulu
Debian	Debian Linux
Fedoraproject	Fedora
Goto	Gotoassist
Mariadb	Mariadb
Microsoft	Windows
Netapp	Active Iq Unified Manager E-series Santricity Os Controller H300s H300s Firmware H410c H410c Firmware H410s H410s Firmware H500s H500s Firmware H700s H700s Firmware Hci Compute Node Management Services For Element Software Oncommand Workflow Automation Ontap Select Deploy Administration Utility
Nokogiri	Nokogiri
Python	Python
Redhat	Enterprise Linux Jboss Core Services Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus Rhev Hypervisor
Siemens	Scalance Sc622-2c Scalance Sc622-2c Firmware Scalance Sc626-2c Scalance Sc626-2c Firmware Scalance Sc632-2c Scalance Sc632-2c Firmware Scalance Sc636-2c Scalance Sc636-2c Firmware Scalance Sc642-2c Scalance Sc642-2c Firmware Scalance Sc646-2c Scalance Sc646-2c Firmware
Zlib	Zlib

Configuration 1 [-]

cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

Configuration 6 [-]

OR	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:-::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-002::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::

Configuration 7 [-]

OR	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::

Configuration 8 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
	cpe:2.3:h:netapp:hci_compute_node:-:::::::*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:siemens:scalance_sc622-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc622-2c:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:siemens:scalance_sc626-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc626-2c:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:siemens:scalance_sc632-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc632-2c:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:siemens:scalance_sc636-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc636-2c:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:siemens:scalance_sc642-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc642-2c:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:siemens:scalance_sc646-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc646-2c:-:*:*:*:*:*:*:*

Configuration 20 [-]

OR	cpe:2.3:a:azul:zulu:6.45:::::::*
	cpe:2.3:a:azul:zulu:7.52:::::::*
	cpe:2.3:a:azul:zulu:8.60:::::::*
	cpe:2.3:a:azul:zulu:11.54:::::::*
	cpe:2.3:a:azul:zulu:13.46:::::::*
	cpe:2.3:a:azul:zulu:15.38:::::::*
	cpe:2.3:a:azul:zulu:17.32:::::::*

Configuration 21 [-]

cpe:2.3:a:goto:gotoassist:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6 Extended Lifecycle Support
zlib-0:1.2.3-31.el6_10	cpe:/o:redhat:rhel_els:6	RHSA-2022:2214	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 7
zlib-0:1.2.7-20.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2022:2213	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 7.4 Advanced Update Support
zlib-0:1.2.7-17.el7_4.1	cpe:/o:redhat:rhel_aus:7.4	RHSA-2023:0976	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)
zlib-0:1.2.7-18.el7_6.1	cpe:/o:redhat:rhel_aus:7.6	RHSA-2023:0975	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.7 Advanced Update Support
zlib-0:1.2.7-18.el7_7.1	cpe:/o:redhat:rhel_aus:7.7	RHSA-2023:0943	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.7 Telco Extended Update Support
zlib-0:1.2.7-18.el7_7.1	cpe:/o:redhat:rhel_tus:7.7	RHSA-2023:0943	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
zlib-0:1.2.7-18.el7_7.1	cpe:/o:redhat:rhel_e4s:7.7	RHSA-2023:0943	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 8
mingw-zlib-0:1.2.8-10.el8	cpe:/a:redhat:enterprise_linux:8::crb	RHSA-2022:7813	2022-11-08T00:00:00Z
zlib-0:1.2.11-18.el8_5	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:1642	2022-04-28T00:00:00Z
rsync-0:3.1.3-14.el8_6.2	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:2201	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
zlib-0:1.2.11-11.el8_1.1	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2022:1591	2022-04-26T00:00:00Z
rsync-0:3.1.3-6.el8_1.1	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2022:2197	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
zlib-0:1.2.11-17.el8_2	cpe:/o:redhat:rhel_eus:8.2	RHSA-2022:1661	2022-05-02T00:00:00Z
rsync-0:3.1.3-7.el8_2.1	cpe:/o:redhat:rhel_eus:8.2	RHSA-2022:2192	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
rsync-0:3.1.3-12.el8_4.1	cpe:/o:redhat:rhel_eus:8.4	RHSA-2022:2198	2022-05-11T00:00:00Z
zlib-0:1.2.11-18.el8_4	cpe:/o:redhat:rhel_eus:8.4	RHSA-2022:4845	2022-05-31T00:00:00Z
Red Hat Enterprise Linux 9
zlib-0:1.2.11-31.el9_0.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:4584	2022-05-17T00:00:00Z
rsync-0:3.2.3-9.el9_0.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:4592	2022-05-18T00:00:00Z
mingw-zlib-0:1.2.12-2.el9	cpe:/a:redhat:enterprise_linux:9::crb	RHSA-2022:8420	2022-11-15T00:00:00Z
zlib-0:1.2.11-31.el9_0.1	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:4584	2022-05-17T00:00:00Z
rsync-0:3.2.3-9.el9_0.1	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:4592	2022-05-18T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
redhat-virtualization-host-0:4.3.23-20220622.0.el7_9	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHSA-2022:5439	2022-07-01T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
redhat-virtualization-host-0:4.5.0-202205291010_8.6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2022:4896	2022-06-03T00:00:00Z
Text-Only JBCS
zlib	cpe:/a:redhat:jboss_core_services:1	RHSA-2022:7144	2022-10-26T00:00:00Z

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://security.gentoo.org/glsa/202210-42
https://security.netapp.com/advisory/ntap-20220526-0009/
https://security.netapp.com/advisory/ntap-20220729-0004/
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://www.cve.org/CVERecord?id=CVE-2018-25032
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
https://www.oracle.com/security-alerts/cpujul2022.html

History

Thu, 21 Aug 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft windows
CPEs		cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Microsoft Microsoft windows

Tue, 06 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 28 Mar 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nokogiri Nokogiri nokogiri
CPEs		cpe:2.3:a:nokogiri:nokogiri::::::ruby::*
Vendors & Products		Nokogiri Nokogiri nokogiri

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-25T00:00:00.000Z

Updated: 2025-05-06T14:19:53.894Z

Reserved: 2022-03-25T00:00:00.000Z

Link: CVE-2018-25032

Vulnrichment

Updated: 2024-08-05T12:26:39.599Z

NVD

Status : Analyzed

Published: 2022-03-25T09:15:08.187

Modified: 2025-08-21T20:37:11.840

Link: CVE-2018-25032

Redhat

Severity : Important

Publid Date: 2018-04-20T00:00:00Z

Links: CVE-2018-25032 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object