CVE-2026-22184
Buffer Overflow in zlib untgz Utility Causes Memory Corruption
Publication date: 2026-01-07
Last updated on: 2026-03-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | zlib | to 1.3.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22184 is a critical global buffer overflow vulnerability in the untgz utility of zlib versions up to and including 1.3.1.2. The vulnerability exists in the TGZfname() function, which copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without validating the length of the input. If the supplied archive name exceeds 1024 bytes, it causes an out-of-bounds write leading to memory corruption. This overflow happens before any archive parsing or validation, and because the buffer is global, the memory corruption can persist beyond the function scope, potentially affecting later program behavior. [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to denial of service by crashing the program, corruption of adjacent global memory objects, undefined behavior, and potentially arbitrary code execution. The actual impact depends on factors such as the compiler, build flags, system architecture, and memory layout. An attacker can exploit this by supplying an archive name longer than 1024 bytes, causing a global buffer overflow that may allow them to execute malicious code or disrupt normal program operation. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the untgz utility with an archive name longer than 1024 bytes to trigger the global buffer overflow. Using AddressSanitizer (ASAN) during testing can help detect the global-buffer-overflow error. For example, running untgz with a very long filename argument (e.g., 4096 bytes) under ASAN will reveal the overflow. Specific commands might include compiling untgz with ASAN enabled and then executing: ./untgz $(python3 -c 'print("A"*4096)') to trigger and detect the overflow. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of vulnerable versions of zlib (up to and including 1.3.1.2) for untgz, especially with untrusted input. If possible, update to a fixed or patched version of zlib that addresses this buffer overflow. Additionally, do not supply archive names longer than 1024 bytes to the untgz utility. Running untgz in a restricted environment or sandbox to limit potential damage from exploitation can also help mitigate risk until a patch is applied. [2, 3]