CVE-2026-22184

MEDIUM EPSS 11.3%
Published Jan 7, 20265mo ago · Modified Jun 17, 20262w ago
4.6 CVSS 4.0
Medium
Find Similar
Published Jan 7, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

CVSS Details

Base Score
4.6
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction A
Scope X

Threat Intelligence

EPSS Exploit Probability
11.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 1

VendorProductVersionRange
zlibzlib* ≤1.3.1.2

References 5

  • github.com https://github.com/madler/zlib
    Product
  • github.com https://github.com/madler/zlib/issues/1142
    Issue Tracking
  • seclists.org https://seclists.org/fulldisclosure/2026/Jan/3
    Mailing ListThird Party Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname
    Third Party Advisory
  • zlib.net https://zlib.net/
    Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.