Bug 2427688 (CVE-2026-22184) - CVE-2026-22184 zlib: zlib: Arbitrary code execution via buffer overflow in untgz utility
Summary: CVE-2026-22184 zlib: zlib: Arbitrary code execution via buffer overflow in un...
Keywords:
Status: NEW
Alias: CVE-2026-22184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2427793 2427794 2427795 2427796 2427798 2427799 2427800 2427801 2427802 2427804 2427806 2427807 2427808 2427809 2427810 2427811 2427812 2427814 2427816 2427817 2427818 2427819 2427820 2427822 2427824 2427825 2427826 2427827 2427828 2427830 2427831 2427797 2427803 2427805 2427813 2427815 2427829 2427832
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-07 21:03 UTC by OSIDB Bzimport
Modified: 2026-01-08 07:53 UTC (History)
38 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-07 21:03:00 UTC 
zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
Note You need to log in before you can comment on or make changes to this bug.