CVE-2022-37434

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
zlibzlib
𝑥
≤ 1.2.12
debiandebian_linux
10.0
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netapphci
-
netappmanagement_services_for_element_software
-
netapponcommand_workflow_automation
-
netappontap_select_deploy_administration_utility
-
netappstoragegrid
-
netapphci_compute_node
-
netapph300s_firmware
-
netapph500s_firmware
-
netapph700s_firmware
-
netapph700s_firmware
-
appleipados
𝑥
< 15.7.1
appleiphone_os
𝑥
< 15.7.1
appleiphone_os
16.0 ≤
𝑥
< 16.1
applemacos
11.0 ≤
𝑥
< 11.7.1
applemacos
12.0.0 ≤
𝑥
< 12.6.1
applewatchos
𝑥
< 9.1
stormshieldstormshield_network_security
3.7.31 ≤
𝑥
< 3.7.34
stormshieldstormshield_network_security
3.11.0 ≤
𝑥
< 3.11.22
stormshieldstormshield_network_security
4.3.0 ≤
𝑥
< 4.3.16
stormshieldstormshield_network_security
4.6.0 ≤
𝑥
< 4.6.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libz-mingw-w64
bookworm
1.2.13+dfsg-1
fixed
bullseye
no-dsa
buster
no-dsa
sid
1.3.1+dfsg-1
fixed
trixie
1.3.1+dfsg-1
fixed
zlib
bookworm
1:1.2.13.dfsg-1
fixed
bullseye
1:1.2.11.dfsg-2+deb11u2
no-dsa
bullseye (security)
1:1.2.11.dfsg-2+deb11u2
fixed
buster
no-dsa
sid
1:1.3.dfsg+really1.3.1-1
fixed
trixie
1:1.3.dfsg+really1.3.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
klibc
bionic
Fixed 2.0.4-9ubuntu2.2+esm1
released
focal
Fixed 2.0.7-1ubuntu5.2
released
jammy
Fixed 2.0.10-4ubuntu0.1
released
mantic
Fixed 2.0.13-1ubuntu0.1
released
noble
Fixed 2.0.13-4ubuntu0.1
released
trusty
Fixed 2.0.3-0ubuntu1.14.04.3+esm3
released
xenial
Fixed 2.0.4-8ubuntu1.16.04.4+esm2
released
rsync
bionic
Fixed 3.1.2-2.1ubuntu1.5
released
focal
Fixed 3.1.3-8ubuntu0.4
released
jammy
not-affected
kinetic
not-affected
mantic
not-affected
noble
not-affected
trusty
not-affected
xenial
Fixed 3.1.1-3ubuntu1.3+esm2
released
zlib
bionic
Fixed 1:1.2.11.dfsg-0ubuntu2.2
released
focal
Fixed 1:1.2.11.dfsg-2ubuntu1.5
released
jammy
Fixed 1:1.2.11.dfsg-2ubuntu9.2
released
kinetic
not-affected
mantic
not-affected
noble
not-affected
trusty
Fixed 1:1.2.8.dfsg-1ubuntu1.1+esm2
released
xenial
Fixed 1:1.2.8.dfsg-2ubuntu4.3+esm2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libminizip1
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
libz1
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP2
1.2.8-12.9.1
fixed
suse enterprise server 12 SP3
1.2.8-12.9.1
fixed
suse enterprise server 12 SP4
1.2.11-3.9.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
libz1-32bit
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP2
1.2.8-12.9.1
fixed
suse enterprise server 12 SP3
1.2.8-12.9.1
fixed
suse enterprise server 12 SP4
1.2.11-3.9.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
minizip-devel
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
rsync
suse enterprise desktop 15 SP6
3.2.7-150600.1.5
fixed
suse enterprise desktop 15 SP7
3.2.7-150600.3.11.1
fixed
suse enterprise sap 15 SP6
3.2.7-150600.1.5
fixed
suse enterprise sap 15 SP7
3.2.7-150600.3.11.1
fixed
suse enterprise server 15 SP6
3.2.7-150600.1.5
fixed
suse enterprise server 15 SP7
3.2.7-150600.3.11.1
fixed
zlib-devel
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP2
1.2.8-12.9.1
fixed
suse enterprise server 12 SP3
1.2.8-12.9.1
fixed
suse enterprise server 12 SP4
1.2.11-3.9.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
zlib-devel-32bit
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 12 SP4
1.2.11-3.9.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
zlib-devel-static
suse enterprise desktop 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise desktop 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise desktop 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise desktop 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise sap 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise sap 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise sap 15 SP7
1.2.13-150500.4.3.1
fixed
suse enterprise server 12 SP4
1.2.11-3.9.1
fixed
suse enterprise server 15
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP1
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP2
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP3
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP4
1.2.11-150000.3.33.1
fixed
suse enterprise server 15 SP5
1.2.13-150500.2.3
fixed
suse enterprise server 15 SP6
1.2.13-150500.4.3.1
fixed
suse enterprise server 15 SP7
1.2.13-150500.4.3.1
fixed
zlib-devel-static-32bit
suse enterprise server 12 SP4
1.2.11-3.9.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
minizip
RHEL 7
0:1.2.7-21.el7_9
fixed
minizip-devel
RHEL 7
0:1.2.7-21.el7_9
fixed
rsync
RHEL 8
0:3.1.3-19.el8
fixed
RHEL 8.6 AUS
0:3.1.3-14.el8_6.5
fixed
RHEL 8.6 E4S
0:3.1.3-14.el8_6.5
fixed
RHEL 8.6 EUS
0:3.1.3-14.el8_6.5
fixed
RHEL 8.6 TUS
0:3.1.3-14.el8_6.5
fixed
RHEL 9
0:3.2.3-18.el9
fixed
rsync-daemon
RHEL 8
0:3.1.3-19.el8
fixed
RHEL 8.6 AUS
0:3.1.3-14.el8_6.5
fixed
RHEL 8.6 E4S
0:3.1.3-14.el8_6.5
fixed
RHEL 8.6 EUS
0:3.1.3-14.el8_6.5
fixed
RHEL 8.6 TUS
0:3.1.3-14.el8_6.5
fixed
RHEL 9
0:3.2.3-18.el9
fixed
zlib
RHEL 7
0:1.2.7-21.el7_9
fixed
RHEL 8
0:1.2.11-19.el8_6
fixed
RHEL 8.6 AUS
0:1.2.11-19.el8_6
fixed
RHEL 8.6 E4S
0:1.2.11-19.el8_6
fixed
RHEL 8.6 EUS
0:1.2.11-19.el8_6
fixed
RHEL 8.6 TUS
0:1.2.11-19.el8_6
fixed
RHEL 9
0:1.2.11-32.el9_0
fixed
zlib-devel
RHEL 7
0:1.2.7-21.el7_9
fixed
RHEL 8
0:1.2.11-19.el8_6
fixed
RHEL 8.6 AUS
0:1.2.11-19.el8_6
fixed
RHEL 8.6 E4S
0:1.2.11-19.el8_6
fixed
RHEL 8.6 EUS
0:1.2.11-19.el8_6
fixed
RHEL 8.6 TUS
0:1.2.11-19.el8_6
fixed
RHEL 9
0:1.2.11-32.el9_0
fixed
zlib-static
RHEL 7
0:1.2.7-21.el7_9
fixed
RHEL 8
0:1.2.11-19.el8_6
fixed
RHEL 8.6 AUS
0:1.2.11-19.el8_6
fixed
RHEL 8.6 E4S
0:1.2.11-19.el8_6
fixed
RHEL 8.6 EUS
0:1.2.11-19.el8_6
fixed
RHEL 8.6 TUS
0:1.2.11-19.el8_6
fixed
RHEL 9
0:1.2.11-32.el9_0
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
http://seclists.org/fulldisclosure/2022/Oct/37
http://seclists.org/fulldisclosure/2022/Oct/38
http://seclists.org/fulldisclosure/2022/Oct/41
http://seclists.org/fulldisclosure/2022/Oct/42
http://www.openwall.com/lists/oss-security/2022/08/05/2
http://www.openwall.com/lists/oss-security/2022/08/09/1
https://github.com/curl/curl/issues/9271
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
https://security.netapp.com/advisory/ntap-20220901-0005/
https://security.netapp.com/advisory/ntap-20230427-0007/
https://support.apple.com/kb/HT213488
https://support.apple.com/kb/HT213489
https://support.apple.com/kb/HT213490
https://support.apple.com/kb/HT213491
https://support.apple.com/kb/HT213493
https://support.apple.com/kb/HT213494
https://www.debian.org/security/2022/dsa-5218
http://seclists.org/fulldisclosure/2022/Oct/37
http://seclists.org/fulldisclosure/2022/Oct/38
http://seclists.org/fulldisclosure/2022/Oct/41
http://seclists.org/fulldisclosure/2022/Oct/42
http://www.openwall.com/lists/oss-security/2022/08/05/2
http://www.openwall.com/lists/oss-security/2022/08/09/1
https://github.com/curl/curl/issues/9271
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
https://lists.debian.org/debian-lts-announce/2022/09/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
https://security.netapp.com/advisory/ntap-20220901-0005/
https://security.netapp.com/advisory/ntap-20230427-0007/
https://support.apple.com/kb/HT213488
https://support.apple.com/kb/HT213489
https://support.apple.com/kb/HT213490
https://support.apple.com/kb/HT213491
https://support.apple.com/kb/HT213493
https://support.apple.com/kb/HT213494
https://www.debian.org/security/2022/dsa-5218
https://github.com/curl/curl/issues/9271