CVE-2026-22184 (CVSS 9.3): Critical zlib Flaw Opens Door to Global Buffer Overflow

A critical vulnerability has been discovered in zlib, the lossless data-compression engine used on “virtually any computer hardware and operating system.” Tracked as CVE-2026-22184, this global buffer overflow flaw carries a severe CVSS score of 9.3, posing a significant threat to systems relying on the library’s untgz utility.

The vulnerability stems from a fundamental error in memory management within the utility’s code. By simply supplying an overly long archive name, an attacker can trigger a memory corruption cascade that could lead to a system crash or, in worst-case scenarios, remote code execution.

The core of the issue lies in the TGZfname() function. According to the disclosure, this function is responsible for handling archive names passed via the command line. However, it makes a fatal mistake: it “copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call”.

The code fails to validate the length of the input before copying it. This means that if an attacker supplies an archive name longer than 1024 bytes, the data spills over the edges of the buffer.

“Supplying an archive name longer than 1024 bytes results in an out-of-bounds write past the end of the global buffer, leading to memory corruption,” the report explains.

What makes this vulnerability particularly dangerous is its ease of access. The flaw is located right at the front door of the program. “The vulnerable code is reached prior to any archive parsing or validation, making the flaw trivially reachable through command-line input alone”.

An attacker doesn’t need to craft a complex malicious file structure; they simply need to invoke the utility with a “sufficiently long filename argument”.

Because the overflow affects a global static array rather than a stack-allocated one, the corruption can be insidious. “Corruption may persist beyond the scope of the function and influence later program behavior,” leading to undefined behavior or crashes.

The potential fallout ranges from a Denial of Service (DoS) to Potential Code Execution, depending on the specific environment’s compiler, architecture, and memory layout.

The vulnerability impacts zlib versions up to and including 1.3.1.2. Administrators and developers using the untgz utility are strongly advised to assess their exposure and look for patched versions to mitigate this critical risk.

Related Posts:

• Critical Unauthenticated MongoDB Flaw Leaks Sensitive Data via zlib Compression
• PoC Released: MongoBleed Exploit Allows Unauthenticated Attackers to Drain MongoDB Memory
• New Android Banking Trojan Targets Indian Users Through Fake Apps
• Linux Kernel Vulnerability Exposes Local Systems to Privilege Escalation, PoC Published
• Urgent Firefox Alert: Critical Memory Corruption Flaws (CVSS 9.8) Allow Remote Code Execution