A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic. Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.
this is the upstream patch that fixed that: https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
This seems to have been filed against all packages that simply bundle zlib, while the issue itself is about pcl bundling a very old zlib (1.2.8). For example, that zlib was replaced in OpenJDK in 2017: https://github.com/openjdk/jdk/commit/b284200a903f2203029288cc68d736e423910207
The issue found on registry.access.redhat.com/ubi9/openjdk-21-runtime:1.22-1.1747241886 very latest images. { "text": "", "id": 46, "severity": "high", "cvss": 8.1, "status": "affected", "cve": "CVE-2025-4638", "cause": "", "description": "A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic...", "title": "", "vecStr": "", "exploit": "", "riskFactors": { "Attack vector: network": true, "DoS - High": true, "High severity": true, "Recent vulnerability": true }, "link": "https://access.redhat.com/security/cve/CVE-2025-4638", "type": "image", "packageType": "os", "severityCHML": "H", "packageName": "zlib", "packageVersion": "1.2.11-40.el9", "packageBinaryPkgs": [ "zlib" ] }
I also scanned the base image registry.redhat.io/rhel9-osbs/osbs-ubi9-minimal:latest { "text": "", "id": 46, "severity": "high", "cvss": 8.1, "status": "affected", "cve": "CVE-2025-4638", "cause": "", "description": "A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic. Since version 1.14.0, PCL by default uses a zlib installation from the system, unless the user sets WITH_SYSTEM_ZLIB=FALSE. So this potential vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib.", "title": "", "vecStr": "", "exploit": "", "riskFactors": { "Attack vector: network": true, "DoS - High": true, "High severity": true, "Recent vulnerability": true }, "link": "https://access.redhat.com/security/cve/CVE-2025-4638", "type": "image", "packageType": "os", "layerTime": 1745451390, "templates": null, "twistlock": false, "cri": false, "published": 1747267200, "fixDate": 0, "applicableRules": [ "*" ], "discovered": "2025-05-21T08:54:55Z", "functionLayer": "", "wildfireMalware": {}, "secret": {}, "severityCHML": "H", "packageName": "zlib", "packageVersion": "1.2.11-40.el9", "packageBinaryPkgs": [ "zlib" ], "packagePath": "", "packageLicense": "zlib and Boost" }
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:8314 https://access.redhat.com/errata/RHSA-2025:8314