Bug 2427688 (CVE-2026-22184)

Summary: CVE-2026-22184 zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, ahughes, caswilli, csutherl, dfreiber, drow, eglynn, fferrari, fitzsim, gotiwari, jburrell, jcantril, jclere, jgrulich, jhorak, jjoyce, jschluet, jvasik, kaycoth, khosford, kshier, lhh, mburns, mgarciac, mvyas, neugens, pjindal, plodge, rblanco, rojacob, stcannon, szappis, teagle, tpopela, vchlup, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in zlib. A global buffer overflow vulnerability exists in the `untgz` utility, specifically within the `TGZfname()` function. This flaw allows an attacker to provide an archive name longer than 1024 bytes, leading to an out-of-bounds write. This can result in memory corruption, denial of service, and potentially arbitrary code execution on the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2427793, 2427794, 2427795, 2427796, 2427798, 2427799, 2427800, 2427801, 2427802, 2427804, 2427806, 2427807, 2427808, 2427809, 2427810, 2427811, 2427812, 2427814, 2427816, 2427817, 2427818, 2427819, 2427820, 2427822, 2427824, 2427825, 2427826, 2427827, 2427828, 2427830, 2427831, 2427797, 2427803, 2427805, 2427813, 2427815, 2427829, 2427832    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-07 21:03:00 UTC 
zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.