- Product: GNU gzip
- Vulnerabilities: 2 flaws (CVE-2026-41991, CVE-2026-41992)
- Highest severity: 7.5 (Medium · CVSSv3)
- Worst impact: Global Buffer Overflow in
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-41992 | 6.9 | Global Buffer Overflow in | Not exploited |
| CVE-2026-41991 | 2 | Predictable Temporary File in | Not exploited |
TL;DR
CERT Polska disclosed two flaws in GNU gzip on 29 June 2026. One GNU gzip vulnerability, CVE-2026-41991, lets a local attacker overwrite files. The second, CVE-2026-41992, triggers an out-of-bounds read. Both bugs affect every gzip release through version 1.14.
Why It Matters
gzip ships on nearly every Linux and Unix system. So this GNU gzip vulnerability reaches a very large install base. The file-overwrite bug can also chain toward privilege escalation. As a result, administrators should patch without delay.
How the Attack Works
CVE-2026-41991: gzexe symlink attack
The first flaw sits in the gzexe helper script. When mktemp is missing from PATH, gzexe builds a temporary filename from the process ID alone. That name is predictable, and the script skips existence checks. So a local user can plant a symlink at that path in advance. gzexe then follows the link and overwrites the target file. This race creates a classic time-of-check to time-of-use condition.
CVE-2026-41992: poisoned LZH state
The second flaw lives in the LZH decompression code. gzip reuses one global array across LZ77, LZW, and LZH routines without resetting it. A crafted LZW file followed by an LZH file in a single command poisons that state. Consequently, the LZH decoder reads past the buffer.
Affected Versions
Both issues affect all GNU gzip versions through 1.14. No public exploit or in-the-wild abuse has been confirmed.
Patch and Mitigation
The maintainers fixed both bugs in upstream commits. Therefore, update to a patched gzip build from your distribution. CERT Polska coordinated the disclosure and credited AFINE researchers Michal Majchrowicz and Marcin Wyczechowski.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.