Description
GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation.
By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer.

This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
Published: 2026-06-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GNU gzip contains a global buffer overflow flaw in its LZH decompression logic. The runtime shares a global array across LZ77, LZW, and LZH paths and fails to reset it between files processed in the same gzip command. By decompressing a crafted LZW file followed by a crafted LZH file in a single execution, an attacker can poison this shared state and trigger an out‑of‑bounds read in the LZH decoder. The vulnerability allows the read of memory beyond the allocated buffer, potentially exposing sensitive data rather than directly enabling code execution.

Affected Systems

The flaw affects the GNU gzip command‑line utility on Linux and Unix systems. All releases prior to the patch commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681 are vulnerable; the specific version numbers affected are not enumerated in the advisory but the change is applied in that commit.

Risk and Exploitability

The CVSS v3 score of 6.9 reflects a moderate impact. No EPSS score is publicly available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local or remote, if an attacker can supply a crafted LZW file followed by a crafted LZH file to a gzip process—for instance, through a malicious archive file or a service that decompresses user data. The exploit requires that both files be processed in the same gzip invocation, so the risk is higher in environments that combine multiple files in a single decompression call.

Generated by OpenCVE AI on June 29, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update gzip to a version that incorporates commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681 or later.
  • Revise any scripts or automation that invoke gzip to decompress multiple files in one command so that each file is processed in a separate gzip invocation, preventing reuse of the shared global state.
  • Monitor gzip processes for crashes, anomalous memory reads, or log entries that could indicate exploitation attempts; keep audit logs enabled and alert on abnormal behavior.

Generated by OpenCVE AI on June 29, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu gzip
Vendors & Products Gnu
Gnu gzip

Mon, 29 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681
Title Global Buffer Overflow in GNU gzip
Weaknesses CWE-126
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gnu Gzip
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-29T13:30:43.882Z

Reserved: 2026-04-23T08:06:09.511Z

Link: CVE-2026-41992

cve-icon Vulnrichment

Updated: 2026-06-29T13:30:38.923Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T18:00:05Z

Weaknesses