Description

zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.

Related CPE's

a

zlib

zlib

Vulnerable

References

https://github.com/madler/zlib

Product

https://seclists.org/fulldisclosure/2026/Jan/3

Mailing ListThird Party Advisory

https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname

Third Party Advisory

https://zlib.net/

Product

https://github.com/madler/zlib/issues/1142

Issue Tracking

Weaknesses

[email protected]

Secondary
CWE-120

[email protected]

Primary
CWE-787

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-07T21:16:01.563Z

1 week ago

Last modified

2026-01-14T20:24:05.723Z

7 hours ago