CVE-2026-22184
Unknown Unknown - Not Provided
Buffer Overflow in zlib untgz Utility Causes Memory Corruption

Publication date: 2026-01-07

Last updated on: 2026-03-18

Assigner: VulnCheck

Description
zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22184
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor zlib to 1.3.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22184 is a critical global buffer overflow vulnerability in the untgz utility of zlib versions up to and including 1.3.1.2. The vulnerability exists in the TGZfname() function, which copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without validating the length of the input. If the supplied archive name exceeds 1024 bytes, it causes an out-of-bounds write leading to memory corruption. This overflow happens before any archive parsing or validation, and because the buffer is global, the memory corruption can persist beyond the function scope, potentially affecting later program behavior. [2, 3]

Impact Analysis

This vulnerability can lead to denial of service by crashing the program, corruption of adjacent global memory objects, undefined behavior, and potentially arbitrary code execution. The actual impact depends on factors such as the compiler, build flags, system architecture, and memory layout. An attacker can exploit this by supplying an archive name longer than 1024 bytes, causing a global buffer overflow that may allow them to execute malicious code or disrupt normal program operation. [2, 3]

Detection Guidance

This vulnerability can be detected by testing the untgz utility with an archive name longer than 1024 bytes to trigger the global buffer overflow. Using AddressSanitizer (ASAN) during testing can help detect the global-buffer-overflow error. For example, running untgz with a very long filename argument (e.g., 4096 bytes) under ASAN will reveal the overflow. Specific commands might include compiling untgz with ASAN enabled and then executing: ./untgz $(python3 -c 'print("A"*4096)') to trigger and detect the overflow. [2]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of vulnerable versions of zlib (up to and including 1.3.1.2) for untgz, especially with untrusted input. If possible, update to a fixed or patched version of zlib that addresses this buffer overflow. Additionally, do not supply archive names longer than 1024 bytes to the untgz utility. Running untgz in a restricted environment or sandbox to limit potential damage from exploitation can also help mitigate risk until a patch is applied. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22184. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart