Description
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
Published: 2026-02-18
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via CPU exhaustion
Action: Patch Now
AI Analysis

Impact

zlib before version 1.3.2 contains an infinite loop in the crc32_combine64 and crc32_combine_gen64 functions due to the x2nmodp routine performing right shifts inside a loop that never terminates. This flaw consumes excessive CPU time and can cause the process that invokes these functions to hang, resulting in a denial of service. The vulnerability is a local request for service interruption rather than remote code execution.

Affected Systems

The affected product is the zlib compression library, supplied by the zlib project. All releases prior to zlib 1.3.2 are vulnerable. Systems that statically or dynamically link against these older zlib versions are impacted.

Risk and Exploitability

The CVSS score is 2.9, reflecting low severity. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Direct exploitation requires an attacker to supply specially crafted data that triggers the infinite loop, suggesting the attack vector is likely local or via a trusted application that processes untrusted input. The low severity and exploitation probability mean the risk is modest, but in environments relying on high availability, the DoS possibility is still operationally significant.

Generated by OpenCVE AI on April 17, 2026 at 18:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the zlib library to version 1.3.2 or later, which removes the infinite loop in the CRC32 combine functions.
  • Recompile or relink all applications that depend on zlib to use the patched library.
  • If an immediate upgrade is not possible, contain the affected processes in a resource‑limited container or use CPU throttling to prevent a single process from exhausting system resources.
  • Monitor CPU usage for processes that invoke zlib functions, and consider adding watchdog mechanisms to restart hung processes.

Generated by OpenCVE AI on April 17, 2026 at 18:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Title zlib: zlib: Denial of Service via infinite loop in CRC32 combine functions
Weaknesses CWE-835
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 18 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
Description zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
First Time appeared Zlib
Zlib zlib
Weaknesses CWE-1284
CPEs cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
Vendors & Products Zlib
Zlib zlib
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Zlib Zlib
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-18T13:38:55.713Z

Reserved: 2026-02-18T02:36:19.339Z

Link: CVE-2026-27171

cve-icon Vulnrichment

Updated: 2026-02-18T13:36:01.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T04:16:01.263

Modified: 2026-03-25T21:27:04.603

Link: CVE-2026-27171

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-18T02:36:19Z

Links: CVE-2026-27171 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T19:00:11Z

Weaknesses