CVE-2018-25032 - Vulnerability Details

- zlib: A flaw found in zlib when compressing (not decompressing) certain inputs

Description

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Published: 2022-03-25

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:nokogiri:nokogiri:*:*:*:*:*:ruby:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*

Configuration 4 [-]

OR	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 [-]

OR	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*
	cpe:2.3:o:fedoraproject:fedora:36:::::::*

Configuration 6 [-]

OR	cpe:2.3:o:apple:mac_os_x::::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:-::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-005::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-007::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-002::::::
	cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003::::::
	cpe:2.3:o:apple:macos::::::::
	cpe:2.3:o:apple:macos::::::::

Configuration 7 [-]

OR	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::
	cpe:2.3:a:mariadb:mariadb::::::::

Configuration 8 [-]

OR	cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
	cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::
	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
	cpe:2.3:h:netapp:hci_compute_node:-:::::::*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:siemens:scalance_sc622-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc622-2c:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:siemens:scalance_sc626-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc626-2c:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:siemens:scalance_sc632-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc632-2c:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND

cpe:2.3:o:siemens:scalance_sc636-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc636-2c:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND

cpe:2.3:o:siemens:scalance_sc642-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc642-2c:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND

cpe:2.3:o:siemens:scalance_sc646-2c_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:scalance_sc646-2c:-:*:*:*:*:*:*:*

Configuration 20 [-]

OR	cpe:2.3:a:azul:zulu:6.45:::::::*
	cpe:2.3:a:azul:zulu:7.52:::::::*
	cpe:2.3:a:azul:zulu:8.60:::::::*
	cpe:2.3:a:azul:zulu:11.54:::::::*
	cpe:2.3:a:azul:zulu:13.46:::::::*
	cpe:2.3:a:azul:zulu:15.38:::::::*
	cpe:2.3:a:azul:zulu:17.32:::::::*

Configuration 21 [-]

cpe:2.3:a:goto:gotoassist:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 6 Extended Lifecycle Support
zlib-0:1.2.3-31.el6_10	cpe:/o:redhat:rhel_els:6	RHSA-2022:2214	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 7
zlib-0:1.2.7-20.el7_9	cpe:/o:redhat:enterprise_linux:7	RHSA-2022:2213	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 7.4 Advanced Update Support
zlib-0:1.2.7-17.el7_4.1	cpe:/o:redhat:rhel_aus:7.4	RHSA-2023:0976	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)
zlib-0:1.2.7-18.el7_6.1	cpe:/o:redhat:rhel_aus:7.6	RHSA-2023:0975	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.7 Advanced Update Support
zlib-0:1.2.7-18.el7_7.1	cpe:/o:redhat:rhel_aus:7.7	RHSA-2023:0943	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.7 Telco Extended Update Support
zlib-0:1.2.7-18.el7_7.1	cpe:/o:redhat:rhel_tus:7.7	RHSA-2023:0943	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
zlib-0:1.2.7-18.el7_7.1	cpe:/o:redhat:rhel_e4s:7.7	RHSA-2023:0943	2023-02-28T00:00:00Z
Red Hat Enterprise Linux 8
mingw-zlib-0:1.2.8-10.el8	cpe:/a:redhat:enterprise_linux:8::crb	RHSA-2022:7813	2022-11-08T00:00:00Z
zlib-0:1.2.11-18.el8_5	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:1642	2022-04-28T00:00:00Z
rsync-0:3.1.3-14.el8_6.2	cpe:/o:redhat:enterprise_linux:8	RHSA-2022:2201	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions
zlib-0:1.2.11-11.el8_1.1	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2022:1591	2022-04-26T00:00:00Z
rsync-0:3.1.3-6.el8_1.1	cpe:/o:redhat:rhel_e4s:8.1	RHSA-2022:2197	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 8.2 Extended Update Support
zlib-0:1.2.11-17.el8_2	cpe:/o:redhat:rhel_eus:8.2	RHSA-2022:1661	2022-05-02T00:00:00Z
rsync-0:3.1.3-7.el8_2.1	cpe:/o:redhat:rhel_eus:8.2	RHSA-2022:2192	2022-05-11T00:00:00Z
Red Hat Enterprise Linux 8.4 Extended Update Support
rsync-0:3.1.3-12.el8_4.1	cpe:/o:redhat:rhel_eus:8.4	RHSA-2022:2198	2022-05-11T00:00:00Z
zlib-0:1.2.11-18.el8_4	cpe:/o:redhat:rhel_eus:8.4	RHSA-2022:4845	2022-05-31T00:00:00Z
Red Hat Enterprise Linux 9
zlib-0:1.2.11-31.el9_0.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:4584	2022-05-17T00:00:00Z
rsync-0:3.2.3-9.el9_0.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2022:4592	2022-05-18T00:00:00Z
mingw-zlib-0:1.2.12-2.el9	cpe:/a:redhat:enterprise_linux:9::crb	RHSA-2022:8420	2022-11-15T00:00:00Z
zlib-0:1.2.11-31.el9_0.1	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:4584	2022-05-17T00:00:00Z
rsync-0:3.2.3-9.el9_0.1	cpe:/o:redhat:enterprise_linux:9	RHSA-2022:4592	2022-05-18T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 7
redhat-virtualization-host-0:4.3.23-20220622.0.el7_9	cpe:/o:redhat:enterprise_linux:7::hypervisor	RHSA-2022:5439	2022-07-01T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
redhat-virtualization-host-0:4.5.0-202205291010_8.6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2022:4896	2022-06-03T00:00:00Z
Text-Only JBCS
zlib	cpe:/a:redhat:jboss_core_services:1	RHSA-2022:7144	2022-10-26T00:00:00Z

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-2968-1	zlib security update
Debian DLA	DLA-2993-1	libz-mingw-w64 security update
Debian DLA	DLA-3114-1	mariadb-10.3 security update
Debian DSA	DSA-5111-1	zlib security update
EUVD	EUVD-2022-1454	zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Github GHSA	GHSA-jc36-42cf-vqwj	Nokogiri affected by zlib's Out-of-bounds Write vulnerability
Ubuntu USN	USN-5355-1	zlib vulnerability
Ubuntu USN	USN-5355-2	zlib vulnerability
Ubuntu USN	USN-5359-1	rsync vulnerability
Ubuntu USN	USN-5359-2	rsync vulnerability
Ubuntu USN	USN-5739-1	MariaDB vulnerabilities
Ubuntu USN	USN-6736-1	klibc vulnerabilities
Ubuntu USN	USN-6736-2	klibc vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00089.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
http://seclists.org/fulldisclosure/2022/May/33
http://seclists.org/fulldisclosure/2022/May/35
http://seclists.org/fulldisclosure/2022/May/38
http://www.openwall.com/lists/oss-security/2022/03/25/2
http://www.openwall.com/lists/oss-security/2022/03/26/1
https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
https://github.com/madler/zlib/compare/v1.2.11...v1.2.12
https://github.com/madler/zlib/issues/605
https://lists.debian.org/debian-lts-announce/2022/04/msg00000.html
https://lists.debian.org/debian-lts-announce/2022/05/msg00008.html
https://lists.debian.org/debian-lts-announce/2022/09/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCZFIJBJTZ7CL5QXBFKTQ22Q26VINRUF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DF62MVMH3QUGMBDCB3DY2ERQ6EBHTADB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZZPTWRYQULAOL3AW7RZJNVZ2UONXCV4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NS2D2GFPFGOJUL4WQ3DUAY7HF4VWQ77F/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOKNP2L734AEL47NRYGVZIKEFOUBQY5Y/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XOKFMSNQ5D5WGMALBNBXU3GE442V74WU/
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
https://security.gentoo.org/glsa/202210-42
https://security.netapp.com/advisory/ntap-20220526-0009/
https://security.netapp.com/advisory/ntap-20220729-0004/
https://support.apple.com/kb/HT213255
https://support.apple.com/kb/HT213256
https://support.apple.com/kb/HT213257
https://www.cve.org/CVERecord?id=CVE-2018-25032
https://www.debian.org/security/2022/dsa-5111
https://www.openwall.com/lists/oss-security/2022/03/24/1
https://www.openwall.com/lists/oss-security/2022/03/28/1
https://www.openwall.com/lists/oss-security/2022/03/28/3
https://www.oracle.com/security-alerts/cpujul2022.html

History

Thu, 21 Aug 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Microsoft Microsoft windows
CPEs		cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Microsoft Microsoft windows

Tue, 06 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 28 Mar 2025 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nokogiri Nokogiri nokogiri
CPEs		cpe:2.3:a:nokogiri:nokogiri::::::ruby::*
Vendors & Products		Nokogiri Nokogiri nokogiri

Subscriptions

Apple Mac Os X Macos

Azul Zulu

Debian Debian Linux

Fedoraproject Fedora

Goto Gotoassist

Mariadb Mariadb

Microsoft Windows

Netapp Active Iq Unified Manager E-series Santricity Os Controller H300s H300s Firmware H410c H410c Firmware H410s H410s Firmware H500s H500s Firmware H700s H700s Firmware Hci Compute Node Management Services For Element Software Oncommand Workflow Automation Ontap Select Deploy Administration Utility

Nokogiri Nokogiri

Python Python

Redhat Enterprise Linux Jboss Core Services Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus Rhev Hypervisor

Siemens Scalance Sc622-2c Scalance Sc622-2c Firmware Scalance Sc626-2c Scalance Sc626-2c Firmware Scalance Sc632-2c Scalance Sc632-2c Firmware Scalance Sc636-2c Scalance Sc636-2c Firmware Scalance Sc642-2c Scalance Sc642-2c Firmware Scalance Sc646-2c Scalance Sc646-2c Firmware

Zlib Zlib

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2022-03-25T00:00:00.000Z

Updated: 2025-05-06T14:19:53.894Z

Reserved: 2022-03-25T00:00:00.000Z

Link: CVE-2018-25032

Vulnrichment

Updated: 2024-08-05T12:26:39.599Z

NVD

Status : Analyzed

Published: 2022-03-25T09:15:08.187

Modified: 2025-08-21T20:37:11.840

Link: CVE-2018-25032

Redhat

Severity : Important

Publid Date: 2018-04-20T00:00:00Z

Links: CVE-2018-25032 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object