CVE-2026-27820

zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w	Vendor Advisory
https://hackerone.com/reports/3467067	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:zlib::::::ruby::*
	cpe:2.3:a:ruby-lang:zlib::::::ruby::*
	cpe:2.3:a:ruby-lang:zlib::::::ruby::*

History

21 May 2026, 19:31

Type	Values Removed	Values Added
References	~~() https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w -~~	() https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w - Vendor Advisory
References	~~() https://hackerone.com/reports/3467067 -~~	() https://hackerone.com/reports/3467067 - Permissions Required
CPE		cpe:2.3:a:ruby-lang:zlib::::::ruby::*
First Time		Ruby-lang zlib Ruby-lang
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

16 Apr 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-16 18:16

Updated : 2026-05-21 19:31

NVD link : CVE-2026-27820

Mitre link : CVE-2026-27820

CVE.ORG link : CVE-2026-27820

JSON object : View

Products Affected

ruby-lang

zlib

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-131

Incorrect Calculation of Buffer Size

{"id": "CVE-2026-27820", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-16T18:16:44.770", "references": [{"url": "https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/3467067", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-131"}]}], "descriptions": [{"lang": "en", "value": "zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3."}], "lastModified": "2026-05-21T19:31:19.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:zlib:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "5DE8B341-809F-4E90-AA03-28B264F35B52", "versionEndExcluding": "3.0.1"}, {"criteria": "cpe:2.3:a:ruby-lang:zlib:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "C9B291C1-492A-4684-BE65-36D10D28679F", "versionEndExcluding": "3.1.2", "versionStartIncluding": "3.1.0"}, {"criteria": "cpe:2.3:a:ruby-lang:zlib:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "CD9F2E4A-7F44-43CD-8745-28BC10E5FA04", "versionEndExcluding": "3.2.3", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}