| Name | CVE-2026-3381 |
| Description | Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| libcompress-raw-zlib-perl (PTS) | bullseye | 2.101-1 | fixed |
| bookworm | 2.204-1 | fixed |
| trixie | 2.213-1 | fixed |
| sid, forky | 2.221-1 | fixed |
| perl (PTS) | bullseye | 5.32.1-4+deb11u3 | fixed |
| bullseye (security) | 5.32.1-4+deb11u4 | fixed |
| bookworm | 5.36.0-7+deb12u3 | fixed |
| bookworm (security) | 5.36.0-7+deb12u2 | fixed |
| trixie | 5.40.1-6 | fixed |
| sid, forky | 5.40.1-7 | fixed |
The information below is based on the following data on fixed versions.
Notes
https://lists.security.metacpan.org/cve-announce/msg/37638919/
Since libcompress-raw-zlib-perl/2.011-2 and perl/5.10.0-20 (in experimental) the
packaging uses the system zlib library. The CVE is assigned for the embedded use
of zlib to address CVE-2026-27171.