CVE-2026-22184

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-22184
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/madler/zlib Product
https://seclists.org/fulldisclosure/2026/Jan/3 Mailing List Third Party Advisory
https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname Third Party Advisory
https://zlib.net/ Product
https://github.com/madler/zlib/issues/1142 Issue Tracking
Configurations

Configuration 1 (hide)

cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
History

15 Jan 2026, 14:16

Type Values Removed Values Added
CWE CWE-120
Summary (en) zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation. (en) zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

14 Jan 2026, 20:24

Type Values Removed Values Added
First Time Zlib
Zlib zlib
CPE cpe:2.3:a:zlib:zlib:*:*:*:*:*:*:*:*
CWE CWE-787
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References () https://github.com/madler/zlib - () https://github.com/madler/zlib - Product
References () https://seclists.org/fulldisclosure/2026/Jan/3 - () https://seclists.org/fulldisclosure/2026/Jan/3 - Mailing List, Third Party Advisory
References () https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname - () https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname - Third Party Advisory
References () https://zlib.net/ - () https://zlib.net/ - Product
References () https://github.com/madler/zlib/issues/1142 - () https://github.com/madler/zlib/issues/1142 - Issue Tracking

12 Jan 2026, 08:16

Type Values Removed Values Added
References
  • () https://github.com/madler/zlib/issues/1142 -

07 Jan 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-07 21:16

Updated : 2026-01-15 14:16

NVD link : CVE-2026-22184

Mitre link : CVE-2026-22184

CVE.ORG link : CVE-2026-22184

JSON object : View

Products Affected

zlib

  • zlib
CWE
CWE-787

Out-of-bounds Write