Description
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
Published: 2026-01-07
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption caused by a global buffer overflow in the untgz utility
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a global buffer overflow that occurs in the untgz utility when a user supplies an excessively long archive filename on the command line. This out‑of‑bounds write corrupts memory in the running process and could potentially lead to arbitrary code execution. It is a classic CWE‑120/787 type flaw that does not affect the core zlib library but only the stand‑alone demonstration tool.

Affected Systems

The affected product is zlib as published by the zlib software project. All releases up to and including version 1.3.1.2 are vulnerable. Any deployments that use the untgz tool from these releases are at risk.

Risk and Exploitability

The CVSS score is 4.6 and the EPSS score is below 1 percent, indicating a moderate severity with a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires local command‑line interaction with the untgz utility, the attack vector is likely a local or privilege‑elevated scenario rather than a remote exploit. The risk is therefore limited to environments where the utility is accessible to potential attackers.

Generated by OpenCVE AI on April 16, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade zlib to a release that contains the patch for untgz
  • Remove or restrict the untgz binary from production systems if it is not required
  • Implement input validation to enforce a maximum archive name length before invoking untgz

Generated by OpenCVE AI on April 16, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 15 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation. zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Wed, 14 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 12 Jan 2026 08:30:00 +0000

Type Values Removed Values Added
References

Thu, 08 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}

threat_severity

Important

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Zlib
Zlib zlib
Vendors & Products Zlib
Zlib zlib

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
Title zlib <= 1.3.1.2 untgz Global Buffer Overflow in TGZfname()
Weaknesses CWE-120
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zlib Zlib
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:07.359Z

Reserved: 2026-01-06T16:47:17.182Z

Link: CVE-2026-22184

cve-icon Vulnrichment

Updated: 2026-01-12T08:01:52.956Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-07T21:16:01.563

Modified: 2026-03-18T16:26:31.140

Link: CVE-2026-22184

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-07T20:25:19Z

Links: CVE-2026-22184 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses