CVE-2026-27820

EUVD-2026-23278
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 42%
Affected Products (NVD)
VendorProductVersion
ruby-langzlib
𝑥
< 3.0.1
ruby-langzlib
3.1.0 ≤
𝑥
< 3.1.2
ruby-langzlib
3.2.0 ≤
𝑥
< 3.2.3
𝑥
= Vulnerable software versions
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_5-2_5
suse enterprise desktop 15 SP7
2.5.9-150700.24.6.1
fixed
suse enterprise sap 15 SP7
2.5.9-150700.24.6.1
fixed
suse enterprise server 15 SP7
2.5.9-150700.24.6.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby3.4
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-bundled-gems
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-bundled-gems-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-debugsource
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-default-gems
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-devel
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-doc
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-libs
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-libs-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bigdecimal
Amazon Linux 2023
0:3.1.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bigdecimal-debuginfo
Amazon Linux 2023
0:3.1.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bundler
Amazon Linux 2023
0:2.6.9-27.amzn2023.0.6
fixed
ruby3.4-rubygem-io-console
Amazon Linux 2023
0:0.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-io-console-debuginfo
Amazon Linux 2023
0:0.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-irb
Amazon Linux 2023
0:1.14.3-27.amzn2023.0.6
fixed
ruby3.4-rubygem-json
Amazon Linux 2023
0:2.9.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-json-debuginfo
Amazon Linux 2023
0:2.9.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-minitest
Amazon Linux 2023
0:5.25.4-27.amzn2023.0.6
fixed
ruby3.4-rubygem-power_assert
Amazon Linux 2023
0:2.0.5-27.amzn2023.0.6
fixed
ruby3.4-rubygem-psych
Amazon Linux 2023
0:5.2.2-27.amzn2023.0.6
fixed
ruby3.4-rubygem-psych-debuginfo
Amazon Linux 2023
0:5.2.2-27.amzn2023.0.6
fixed
ruby3.4-rubygem-racc
Amazon Linux 2023
0:1.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-racc-debuginfo
Amazon Linux 2023
0:1.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rake
Amazon Linux 2023
0:13.2.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rbs
Amazon Linux 2023
0:3.8.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rbs-debuginfo
Amazon Linux 2023
0:3.8.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rdoc
Amazon Linux 2023
0:6.14.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rexml
Amazon Linux 2023
0:3.4.4-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rss
Amazon Linux 2023
0:0.3.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-test-unit
Amazon Linux 2023
0:3.6.7-27.amzn2023.0.6
fixed
ruby3.4-rubygem-typeprof
Amazon Linux 2023
0:0.30.1-27.amzn2023.0.6
fixed
ruby3.4-rubygems
Amazon Linux 2023
0:3.6.9-27.amzn2023.0.6
fixed
ruby3.4-rubygems-devel
Amazon Linux 2023
0:3.6.9-27.amzn2023.0.6
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
ruby
Azure Linux 3.0
0:3.3.5-8.azl3
fixed