Fluid Attacks Database

Description

zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.23	zlib	=1.2.10-r0 \|\| =1.2.11-r0 \|\| =1.2.11-r1 \|\| =1.2.11-r2 \|\| =1.2.11-r3 \|\| =1.2.11-r4 \|\| =1.2.12-r0 \|\| =1.2.12-r1 \|\| =1.2.12-r2 \|\| =1.2.12-r3 \|\| =1.2.13-r0 \|\| =1.2.13-r1 \|\| =1.2.13-r2 \|\| =1.2.3.3-r2 \|\| =1.2.3.3-r3 \|\| =1.2.3.3-r4 \|\| =1.2.3.3-r5 \|\| =1.2.3.3-r6 \|\| =1.2.3.3-r7 \|\| =1.2.3.4-r0 \|\| =1.2.3.4-r1 \|\| =1.2.3.7-r0 \|\| =1.2.3.7-r1 \|\| =1.2.3.9-r0 \|\| =1.2.4-r0 \|\| =1.2.4-r1 \|\| =1.2.5-r0 \|\| =1.2.5-r1 \|\| =1.2.5-r2 \|\| =1.2.6-r0 \|\| =1.2.7-r0 \|\| =1.2.7-r1 \|\| =1.2.8-r0 \|\| =1.2.8-r1 \|\| =1.2.8-r2 \|\| =1.3-r0 \|\| =1.3-r1 \|\| =1.3-r2 \|\| =1.3.1-r0 \|\| =1.3.1-r1 \|\| =1.3.1-r2 \|\| >=0 <1.3.2-r0	1.3.2-r0
debian 12	zlib	>=0 <1:1.2.6.dfsg-1	1:1.2.6.dfsg-1
debian 14	zlib	>=0 <1:1.2.6.dfsg-1	1:1.2.6.dfsg-1
debian 13	zlib	>=0 <1:1.2.6.dfsg-1	1:1.2.6.dfsg-1
debian 11	zlib	>=0 <1:1.2.6.dfsg-1	1:1.2.6.dfsg-1
rpm rhel8	mingw-zlib	-	-
rpm rhel9	mingw-zlib	-	-
rpm rhel10	mingw-zlib	-	-
alpine v3.21	zlib	=1.2.10-r0 \|\| =1.2.11-r0 \|\| =1.2.11-r1 \|\| =1.2.11-r2 \|\| =1.2.11-r3 \|\| =1.2.11-r4 \|\| =1.2.12-r0 \|\| =1.2.12-r1 \|\| =1.2.12-r2 \|\| =1.2.12-r3 \|\| =1.2.13-r0 \|\| =1.2.13-r1 \|\| =1.2.13-r2 \|\| =1.2.3.3-r2 \|\| =1.2.3.3-r3 \|\| =1.2.3.3-r4 \|\| =1.2.3.3-r5 \|\| =1.2.3.3-r6 \|\| =1.2.3.3-r7 \|\| =1.2.3.4-r0 \|\| =1.2.3.4-r1 \|\| =1.2.3.7-r0 \|\| =1.2.3.7-r1 \|\| =1.2.3.9-r0 \|\| =1.2.4-r0 \|\| =1.2.4-r1 \|\| =1.2.5-r0 \|\| =1.2.5-r1 \|\| =1.2.5-r2 \|\| =1.2.6-r0 \|\| =1.2.7-r0 \|\| =1.2.7-r1 \|\| =1.2.8-r0 \|\| =1.2.8-r1 \|\| =1.2.8-r2 \|\| =1.3-r0 \|\| =1.3-r1 \|\| =1.3-r2 \|\| =1.3.1-r0 \|\| =1.3.1-r1 \|\| =1.3.1-r2 \|\| >=0 <1.3.2-r0	1.3.2-r0
alpine v3.22	zlib	=1.2.10-r0 \|\| =1.2.11-r0 \|\| =1.2.11-r1 \|\| =1.2.11-r2 \|\| =1.2.11-r3 \|\| =1.2.11-r4 \|\| =1.2.12-r0 \|\| =1.2.12-r1 \|\| =1.2.12-r2 \|\| =1.2.12-r3 \|\| =1.2.13-r0 \|\| =1.2.13-r1 \|\| =1.2.13-r2 \|\| =1.2.3.3-r2 \|\| =1.2.3.3-r3 \|\| =1.2.3.3-r4 \|\| =1.2.3.3-r5 \|\| =1.2.3.3-r6 \|\| =1.2.3.3-r7 \|\| =1.2.3.4-r0 \|\| =1.2.3.4-r1 \|\| =1.2.3.7-r0 \|\| =1.2.3.7-r1 \|\| =1.2.3.9-r0 \|\| =1.2.4-r0 \|\| =1.2.4-r1 \|\| =1.2.5-r0 \|\| =1.2.5-r1 \|\| =1.2.5-r2 \|\| =1.2.6-r0 \|\| =1.2.7-r0 \|\| =1.2.7-r1 \|\| =1.2.8-r0 \|\| =1.2.8-r1 \|\| =1.2.8-r2 \|\| =1.3-r0 \|\| =1.3-r1 \|\| =1.3-r2 \|\| =1.3.1-r0 \|\| =1.3.1-r1 \|\| =1.3.1-r2 \|\| >=0 <1.3.2-r0	1.3.2-r0

1-10 of 11

Aliases

1. CVE-2026-221842. NVD-2026-221843. OSV-ALPINE-2026-221844. OSV-2026-221845. OSV-DEBIAN-2026-221846. SECURITY-CVE-2026-221847. SECURITY-TRACKER-CVE-2026-22184

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.