CVE-2026-41992
Received Received - Intake

Global Buffer Overflow in GNU gzip LZH Decompression

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: CERT.PL

Description
GNU gzip contains a global buffer overflow vulnerability in the LZH decompression logic caused by improper reuse of shared global state between different decompression formats within a single execution. GNU gzip maintains a global array that is shared across the LZ77, LZW, and LZH decompression routines and is not reinitialized between files processed in the same invocation. By decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command, an attacker can poison the shared global state and subsequently trigger an out‑of‑bounds read in the LZH decoder. The LZH decompression logic follows stale values left in the shared array, causing reads past the end of the allocated global buffer. This issue has been fixed in the commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-41992
EUVD
EUVD-2026-40069

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gnu gzip From 63dbf6b3b9e6e781df1a6a64e609b10e23969681 (inc)
gnu gzip to 63dbf6b3b9e6e781df1a6a64e609b10e23969681 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in GNU gzip's LZH decompression logic due to improper reuse of a shared global buffer between different decompression formats (LZ77, LZW, and LZH) within a single execution. The global array used by these routines is not reinitialized between files processed in the same gzip command.

An attacker can exploit this by decompressing a specially crafted LZW file followed by a specially crafted LZH file in a single gzip -d command. This sequence poisons the shared global state, causing the LZH decoder to perform out-of-bounds reads past the end of the allocated buffer, leading to a global buffer overflow.

Impact Analysis

The vulnerability can lead to out-of-bounds memory reads during decompression, which may cause crashes or potentially allow an attacker to execute arbitrary code or cause denial of service by exploiting the buffer overflow.

Mitigation Strategies

To mitigate this vulnerability, update GNU gzip to a version that includes the fix from commit 63dbf6b3b9e6e781df1a6a64e609b10e23969681.

Avoid decompressing specially crafted LZW and LZH files in a single gzip -d command until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart