CVE-2026-22184

07.01.2026, 21:16

zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.

Classic Buffer Overflow

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
VulnCheck	CNA	---	---
CISA-ADP	ADP	---	---

Base Score

CVSS 3.x

EPSS Score

Percentile: 24%

Ubuntu Releases

Ubuntu Product

Codename

zlib

questing	not-affected
plucky	not-affected
noble	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

rsync

questing	not-affected
plucky	not-affected
noble	not-affected
jammy	not-affected
focal	needed
bionic	needed
xenial	needed
trusty	not-affected

klibc

questing	needs-triage
plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

zsync

questing	needs-triage
plucky	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The program copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Vulnerability Media Exposure

References

https://github.com/madler/zlib

https://seclists.org/fulldisclosure/2026/Jan/3

https://www.vulncheck.com/advisories/zlib-untgz-global-buffer-overflow-in-tgzfname

https://zlib.net/