CVE-2026-22184

NameCVE-2026-22184
Descriptionzlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zlib (PTS)bullseye (security), bullseye1:1.2.11.dfsg-2+deb11u2fixed
bookworm1:1.2.13.dfsg-1fixed
forky, sid, trixie1:1.3.dfsg+really1.3.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zlibsource(unstable)1:1.2.6.dfsg-1unimportant

Notes

https://www.openwall.com/lists/oss-security/2026/01/06/5
https://github.com/madler/zlib/issues/1142
contrib/untgz excluded from orig tarball since 1:1.2.3.5.dfsg-1
Before the change contrib/untgz not build for Debian
Search for package or bug name: Reporting problems