Description
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
Published: 2026-04-16
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Apply Patch
AI Analysis

Impact

The flaw is a buffer overflow in Zlib::GzipReader’s zstream_buffer_ungets function within the Ruby zlib library. The function prepends caller‑supplied bytes ahead of existing output but does not verify the backing Ruby string has adequate capacity before the memmove operation. When the combined input exceeds the capacity, memory corruption occurs. This type of vulnerability aligns with CWE‑120 and CWE‑131 and can result in arbitrary code execution or process crash if an attacker supplies a sufficiently large payload.

Affected Systems

Affected are Ruby zlib versions 3.0.0 and earlier, 3.1.0, 3.1.1, 3.2.0, and 3.2.1. The issue was fixed in version 3.0.1, 3.1.2, and 3.2.3. All Ruby applications that depend on zlib and invoke Zlib::GzipReader::ungetc with large streams are vulnerable.

Risk and Exploitability

The CVSS score is 1.7, indicating low severity. Exploit probability is not available, and it is not recognized in the CISA known exploitation catalog. Based on the description, it is inferred that the likely attack vector involves supplying a large gzip payload to the Zlib::GzipReader::ungetc function, which could trigger the overflow. The risk is limited to applications that accept large gzip payloads but should still be mitigated promptly.

Generated by OpenCVE AI on April 17, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ruby zlib library to version 3.0.1, 3.1.2, 3.2.3 or later.
  • Avoid using Zlib::GzipReader.ungetc on data from untrusted sources.
  • Validate input size and reject gzip streams exceeding a safe threshold before passing them to ungetc.

Generated by OpenCVE AI on April 17, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g857-hhfv-j68w Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
History

Thu, 21 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang zlib
CPEs cpe:2.3:a:ruby-lang:zlib:*:*:*:*:*:ruby:*:*
Vendors & Products Ruby-lang
Ruby-lang zlib
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby
Ruby zlib
Vendors & Products Ruby
Ruby zlib

Fri, 17 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Moderate

Thu, 16 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
Title zlib: Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
Weaknesses CWE-120
CWE-131
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Ruby Zlib
Ruby-lang Zlib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T18:20:21.451Z

Reserved: 2026-02-24T02:32:39.799Z

Link: CVE-2026-27820

cve-icon Vulnrichment

Updated: 2026-04-16T18:20:15.404Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T18:16:44.770

Modified: 2026-05-21T19:31:19.270

Link: CVE-2026-27820

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-16T17:27:48Z

Links: CVE-2026-27820 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:01:29Z

Weaknesses