Bug 2446882 (CVE-2026-31988) - CVE-2026-31988 yauzl: yauzl: Denial of Service vulnerability in zip file processing
Summary: CVE-2026-31988 yauzl: yauzl: Denial of Service vulnerability in zip file proc...
Keywords:
Status: NEW
Alias: CVE-2026-31988
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2459116 2459117 2459118 2459119 2459120
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-12 00:01 UTC by OSIDB Bzimport
Modified: 2026-04-28 06:33 UTC (History)
65 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-12 00:01:39 UTC 
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
Note You need to log in before you can comment on or make changes to this bug.