CVE-2026-3381

NameCVE-2026-3381
DescriptionCompress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib. Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libcompress-raw-zlib-perl (PTS)bullseye2.101-1fixed
bookworm2.204-1fixed
trixie2.213-1fixed
forky, sid2.222-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libcompress-raw-zlib-perlsource(unstable)2.011-2

Notes

https://lists.security.metacpan.org/cve-announce/msg/37638919/
Since libcompress-raw-zlib-perl/2.011-2 the packaging uses the system zlib library.
The CVE is assigned for the embedded use of zlib to address CVE-2026-27171.
Search for package or bug name: Reporting problems