Zlib
by Zlib
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-9843 | Cri | 0.64 | 9.8 | 0.06 | May 23, 2017 | The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. | ||
| CVE-2016-9841 | Cri | 0.64 | 9.8 | 0.07 | May 23, 2017 | inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | ||
| CVE-2002-0059 | Cri | 0.64 | 9.8 | 0.10 | Mar 15, 2002 | The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed… | ||
| CVE-2016-9842 | Hig | 0.58 | 8.8 | 0.05 | May 23, 2017 | The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. | ||
| CVE-2016-9840 | Hig | 0.58 | 8.8 | 0.05 | May 23, 2017 | inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. | ||
| CVE-2003-0107 | 0.05 | — | 0.26 | Mar 7, 2003 | Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code. | |||
| CVE-2022-37434 | 0.01 | — | 0.16 | Aug 5, 2022 | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable… | |||
| CVE-2026-27171 | 0.00 | — | 0.00 | Feb 18, 2026 | zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. | |||
| CVE-2026-22184 | 0.00 | — | 0.00 | Jan 7, 2026 | zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user… | |||
| CVE-2025-4638 | 0.00 | — | 0.00 | May 14, 2025 | A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic. Since version 1.14.0, PCL by… | |||
| CVE-2023-6992 | 0.00 | — | 0.00 | Jan 4, 2024 | Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A local attacker could exploit the problem… | |||
| CVE-2023-48106 | 0.00 | — | 0.01 | Nov 22, 2023 | Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_resolve function in the mz_os.c file. | |||
| CVE-2023-48107 | 0.00 | — | 0.01 | Nov 22, 2023 | Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_has_slash function in the mz_os.c file. | |||
| CVE-2018-25032 | 0.00 | — | 0.52 | Mar 25, 2022 | zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. | |||
| CVE-2005-1849 | 0.00 | — | 0.04 | Jul 26, 2005 | inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced. | |||
| CVE-2005-2096 | 0.00 | — | 0.05 | Jul 6, 2005 | zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. | |||
| CVE-2004-0797 | 0.00 | — | 0.00 | Oct 20, 2004 | The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash). |
- risk 0.64cvss 9.8epss 0.06
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
- risk 0.64cvss 9.8epss 0.07
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
- risk 0.64cvss 9.8epss 0.10
The decompression algorithm in zlib 1.1.3 and earlier, as used in many different utilities and packages, causes inflateEnd to release certain memory more than once (a "double free"), which may allow local and remote attackers to execute arbitrary code via a block of malformed…
- risk 0.58cvss 8.8epss 0.05
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
- risk 0.58cvss 8.8epss 0.05
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
- CVE-2003-0107Mar 7, 2003risk 0.05cvss —epss 0.26
Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code.
- CVE-2022-37434Aug 5, 2022risk 0.01cvss —epss 0.16
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable…
- CVE-2026-27171Feb 18, 2026risk 0.00cvss —epss 0.00
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
- CVE-2026-22184Jan 7, 2026risk 0.00cvss —epss 0.00
zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user…
- CVE-2025-4638May 14, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in the inftrees.c component of the zlib library, which is bundled within the PointCloudLibrary (PCL). This issue may allow context-dependent attackers to cause undefined behavior by exploiting improper pointer arithmetic. Since version 1.14.0, PCL by…
- CVE-2023-6992Jan 4, 2024risk 0.00cvss —epss 0.00
Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A local attacker could exploit the problem…
- CVE-2023-48106Nov 22, 2023risk 0.00cvss —epss 0.01
Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_resolve function in the mz_os.c file.
- CVE-2023-48107Nov 22, 2023risk 0.00cvss —epss 0.01
Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an attacker to execute arbitrary code via a crafted file to the mz_path_has_slash function in the mz_os.c file.
- CVE-2018-25032Mar 25, 2022risk 0.00cvss —epss 0.52
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
- CVE-2005-1849Jul 26, 2005risk 0.00cvss —epss 0.04
inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.
- CVE-2005-2096Jul 6, 2005risk 0.00cvss —epss 0.05
zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.
- CVE-2004-0797Oct 20, 2004risk 0.00cvss —epss 0.00
The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).