CVE-2026-39244
Received Received - Intake

Denial of Service in adm-zip via Malicious ZIP File

Vulnerability report for CVE-2026-39244, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: MITRE

Description

adm-zip before 0.5.18 is vulnerable to denial of service via a crafted ZIP file with a manipulated uncompressed size header field. In zipEntry.js line 103, Buffer.alloc(_centralHeader.size) allocates memory based on the declared uncompressed size from the ZIP central directory header without validating it against the actual compressed data size or imposing any upper bound. The size value is read directly from the binary header at entryHeader.js line 266 with no bounds check. An attacker can craft a ~120-byte ZIP file that declares ~4GB uncompressed size, causing a memory allocation amplification ratio of over 33 million to 1. The allocation occurs before CRC validation, so the malicious payload cannot be rejected early. All extraction and read methods are affected: readFile(), readAsText(), extractEntryTo(), extractAllTo(), extractAllToAsync(), test(), and entry.getData(). Any application accepting untrusted ZIP files via adm-zip is vulnerable to immediate process crash.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
adm-zip adm-zip to 0.5.18 (exc)
cthackers adm-zip to 0.5.18 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-39244 is a denial-of-service vulnerability in the adm-zip library versions before 0.5.18. It occurs because the library allocates memory based on the uncompressed size declared in a ZIP file's central directory header without validating this size or imposing any upper limit.

An attacker can craft a very small ZIP file (around 120 bytes) that falsely declares an uncompressed size of about 4 GB. When adm-zip processes this file, it tries to allocate a buffer of that large size before verifying the file's integrity, leading to excessive memory allocation.

This unbounded memory allocation causes the Node.js process to crash due to out-of-memory errors, affecting all extraction and read methods such as readFile(), extractAllTo(), and getData().

Impact Analysis

This vulnerability can cause immediate crashes of any application using adm-zip to process untrusted ZIP files. Because the library allocates large amounts of memory based on manipulated ZIP headers, an attacker can remotely trigger denial-of-service conditions without authentication.

The impact includes service disruption, potential downtime, and resource exhaustion, which can affect availability and reliability of applications handling ZIP files.

Detection Guidance

This vulnerability can be detected by identifying the presence of adm-zip library versions before 0.5.18 in your applications that process ZIP files.

Since the vulnerability is triggered by processing a crafted ZIP file with an uncompressed size header declaring an abnormally large size (~4GB) in a small ZIP file (~120 bytes), detection involves inspecting ZIP files for suspicious uncompressed size headers.

There are no specific commands provided in the resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

Immediate mitigation steps include avoiding processing untrusted ZIP files with adm-zip versions prior to 0.5.18.

If possible, upgrade adm-zip to version 0.5.18 or later, which addresses this vulnerability.

As a workaround, implement validation of the uncompressed size field against the compressed size or impose configurable limits on memory allocation when handling ZIP files.

Until a fix is applied, restrict access to services that process ZIP files to trusted users and sources to reduce the risk of denial-of-service attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart