CVE-2022-37434
published 2022-08-05CVE-2022-37434: zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
15.93%
96.5th percentile
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Affected
60 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | ios_15.7.1_and_ipados | — | — |
| apple | ios_16.1_and_ipados | — | — |
| apple | ipados | < 15.7.1 | 15.7.1 |
| apple | iphone_os | < 15.7.1 | 15.7.1 |
| apple | iphone_os | >= 16.0 < 16.1 | 16.1 |
| apple | macos | >= 11.0 < 11.7.1 | 11.7.1 |
| apple | macos | >= 12.0.0 < 12.6.1 | 12.6.1 |
| apple | macos_big_sur | — | — |
| apple | macos_monterey | — | — |
| apple | macos_ventura | — | — |
| apple | watchos | < 9.1 | 9.1 |
| apple | watchos | — | — |
| debian | debian_linux | — | — |
| debian | libz-mingw-w64 | < libz-mingw-w64 1.2.12+dfsg-2 (bookworm) | libz-mingw-w64 1.2.12+dfsg-2 (bookworm) |
| debian | zlib | < libz-mingw-w64 1.2.12+dfsg-2 (bookworm) | libz-mingw-w64 1.2.12+dfsg-2 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| klibc_project | klibc | >= 0 < 2.0.7-1ubuntu5.2 | 2.0.7-1ubuntu5.2 |
| klibc_project | klibc | >= 0 < 2.0.10-4ubuntu0.1 | 2.0.10-4ubuntu0.1 |
| klibc_project | klibc | >= 0 < 2.0.13-4ubuntu0.1 | 2.0.13-4ubuntu0.1 |
| klibc_project | klibc | >= 0 < 2.0.3-0ubuntu1.14.04.3+esm3 | 2.0.3-0ubuntu1.14.04.3+esm3 |
| klibc_project | klibc | >= 0 < 2.0.4-8ubuntu1.16.04.4+esm2 | 2.0.4-8ubuntu1.16.04.4+esm2 |
| klibc_project | klibc | >= 0 < 2.0.4-9ubuntu2.2+esm1 | 2.0.4-9ubuntu2.2+esm1 |
| msrc | azl3_binutils_2.41-5_on_azure_linux_3.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered during inflate operations in zlib when processing a large gzip header extra field — monitor for anomalously large gzip header extra field values passed to inflate/inflateGetHeader. ↗
- →Only applications that explicitly call inflateGetHeader are exploitable — focus detection and patching efforts on binaries/processes that invoke inflateGetHeader from zlib. ↗
- →The vulnerability can be triggered remotely over TCP/IP — network-level inspection of gzip-compressed traffic for oversized header extra fields is a viable detection point. ↗
- →On Apple iOS/iPadOS, exploitation via a malicious Wi-Fi network can cause denial-of-service of the Settings app — anomalous Settings app crashes after joining a new Wi-Fi network may indicate exploitation attempts. ↗
- ·Not all applications bundling zlib are exploitable — only those that actually call inflateGetHeader are affected, so triage should confirm the call path before treating a zlib instance as vulnerable. ↗
- ·The affected zlib versions are 1.2.12 and earlier — ensure version checks target zlib <= 1.2.12 when scanning for vulnerable components. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
ABB M2M Gateway
cisa_ics·2025-04-15
ABB M2M Gateway
ICS Advisory
##
ABB M2M Gateway
Release DateApril 15, 2025
Alert CodeICSA-25-105-08
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: M2M Gateway
- Vulnerabilities: Integer Overflow or Wraparound, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Unquoted Search Path or Element, Untrusted Search Path, Use After Free, Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Missing Release of Memory after Effective Lifetime, Allocation of Resources Without Limits or Throttling, Improper Privilege Management, Improper Limitati
Palo Alto
PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
vendor_paloalto·2024-10-29·CVSS 9.8
CVE-2019-17006 [CRITICAL] PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
PAN-SA-2024-0012 Informational Bulletin: OSS CVEs fixed in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2019-17006 This CVE is fixed in PAN-OS 10.2.0, and all later versions of PAN-OS. CVE-2021-3518 This CVE is fixed in PAN-OS 10.2.0, and all later versions of PAN-OS. CVE-2021-25219 This CVE is fixed in PAN-OS 10.2.3, and all later versions of PAN-OS. CVE-2021-27645 This CVE is fixed in PAN-OS 10.2.8, PAN-OS 11.0.2, and all later versions of PAN-OS. CVE-2021-34798 This CVE is fixed in PAN-OS 10.2.8, PAN-OS 11.0.2, and all later versions o
Oracle
Oracle Oracle Siebel CRM Risk Matrix: Repository Utilities (zlib) — CVE-2022-37434
vendor_oracle·2024-07-15·CVSS 9.8
CVE-2022-37434 [CRITICAL] Oracle Oracle Siebel CRM Risk Matrix: Repository Utilities (zlib) — CVE-2022-37434
Oracle Oracle Siebel CRM Risk Matrix: Repository Utilities (zlib) vulnerability
CVE: CVE-2022-37434
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Ubuntu
klibc vulnerabilities
vendor_ubuntu·2024-05-23·CVSS 8.8
CVE-2016-9841 [HIGH] klibc vulnerabilities
Title: klibc vulnerabilities
Summary: Several security issues were fixed in klibc.
USN-6736-1 fixed vulnerabilities in klibc. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that zlib, vendored in klibc, incorrectly handled pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain inflate op
Ubuntu
klibc vulnerabilities
vendor_ubuntu·2024-04-16·CVSS 8.8
CVE-2018-25032 [HIGH] klibc vulnerabilities
Title: klibc vulnerabilities
Summary: Several security issues were fixed in klibc.
It was discovered that zlib, vendored in klibc, incorrectly handled pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain inflate operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2022-37434)
Instructions: In
Oracle
Oracle Oracle Hyperion Risk Matrix: Security (zlib) — CVE-2022-37434
vendor_oracle·2024-01-15·CVSS 9.8
CVE-2022-37434 [CRITICAL] Oracle Oracle Hyperion Risk Matrix: Security (zlib) — CVE-2022-37434
Oracle Oracle Hyperion Risk Matrix: Security (zlib) vulnerability
CVE: CVE-2022-37434
CVSS: 9.8
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
CISA ICS
Siemens PNI
cisa_ics·2023-11-16·CVSS 5.5
[MEDIUM] Siemens PNI
ICS Advisory
##
Siemens PNI
Release DateNovember 16, 2023
Alert CodeICSA-23-320-12
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SINEC PNI
- Vulnerabilities: Improper Input Validation, Out-of-bounds Write
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to achieve remote code execution, a denial-of-service condi
Oracle
Oracle Oracle Communications Risk Matrix: Virtual Network Function Manager (zlib) — CVE-2022-37434
vendor_oracle·2023-07-15·CVSS 9.8
CVE-2022-37434 [CRITICAL] Oracle Oracle Communications Risk Matrix: Virtual Network Function Manager (zlib) — CVE-2022-37434
Oracle Oracle Communications Risk Matrix: Virtual Network Function Manager (zlib) vulnerability
CVE: CVE-2022-37434
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2023 (JUL 2023)
Oracle
Oracle Oracle Communications Risk Matrix: Mediation Engine (glibc) — CVE-2022-37434
vendor_oracle·2023-04-15·CVSS 9.8
CVE-2022-37434 [CRITICAL] Oracle Oracle Communications Risk Matrix: Mediation Engine (glibc) — CVE-2022-37434
Oracle Oracle Communications Risk Matrix: Mediation Engine (glibc) vulnerability
CVE: CVE-2022-37434
CVSS: 9.8
Protocol: TCP/IP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2023 (APR 2023)
Oracle
Oracle Oracle TimesTen In-Memory Database Risk Matrix: In-Memory Database (zlib) — CVE-2022-37434
vendor_oracle·2023-01-15·CVSS 6.5
CVE-2022-37434 [CRITICAL] Oracle Oracle TimesTen In-Memory Database Risk Matrix: In-Memory Database (zlib) — CVE-2022-37434
Oracle Oracle TimesTen In-Memory Database Risk Matrix: In-Memory Database (zlib) vulnerability
CVE: CVE-2022-37434
CVSS: 6.5
Protocol: Oracle Net
Remote exploit: No
Affected versions: Network
Advisory: cpujan2023 (JAN 2023)
CISA ICS
Hitachi Energy Lumada Asset Performance Management
cisa_ics·2023-01-05·CVSS 7.5
[HIGH] Hitachi Energy Lumada Asset Performance Management
ICS Advisory
##
Hitachi Energy Lumada Asset Performance Management
Last RevisedJanuary 05, 2023
Alert CodeICSA-23-005-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Hitachi Energy
- Equipment: Lumada Asset Performance Management (APM)
- Vulnerabilities: Classic Buffer Overflow, Out-of-bounds Write
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause a denial-of-service condition or unauthorized remote arbitrary code execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Lumada Asset Performance Management (APM), a web-based asset monitoring software deployable as both a cloud service or as a local deployment, are affected:
- Lumada AP
Apple
CVE-2022-37434: iOS 15.7.1 and iPadOS 15.7.1
vendor_apple·2022-10-27·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: iOS 15.7.1 and iPadOS 15.7.1
Apple Security Update: About the security content of iOS 15.7.1 and iPadOS 15.7.1
Product: iOS 15.7.1 and iPadOS
Version: 15.7.1
CVE: CVE-2022-37434
Component: Wi-Fi
Impact: Joining a malicious Wi-Fi network may result in a denial-of-service of the Settings app
Description: The issue was addressed with improved memory handling.
Apple
CVE-2022-37434: watchOS 9.1
vendor_apple·2022-10-24·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: watchOS 9.1
Apple Security Update: About the security content of watchOS 9.1
Product: watchOS
Version: 9.1
CVE: CVE-2022-37434
Component: WebKit
Impact: Processing maliciously crafted web content may disclose internal states of the app
Description: A correctness issue in the JIT was addressed with improved checks.
Apple
CVE-2022-37434: iOS 16.1 and iPadOS 16
vendor_apple·2022-10-24·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: iOS 16.1 and iPadOS 16
Apple Security Update: About the security content of iOS 16.1 and iPadOS 16
Product: iOS 16.1 and iPadOS
Version: 16
CVE: CVE-2022-37434
Component: Wi-Fi
Impact: Joining a malicious Wi-Fi network may result in a denial-of-service of the Settings app
Description: The issue was addressed with improved memory handling.
Apple
CVE-2022-37434: macOS Monterey 12.6.1
vendor_apple·2022-10-24·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: macOS Monterey 12.6.1
Apple Security Update: About the security content of macOS Monterey 12.6.1
Product: macOS Monterey
Version: 12.6.1
CVE: CVE-2022-37434
Component: WebKit
Impact: Processing maliciously crafted web content may lead to arbitrary code execution
Description: A type confusion issue was addressed with improved memory handling.
Apple
CVE-2022-37434: macOS Big Sur 11.7.1
vendor_apple·2022-10-24·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: macOS Big Sur 11.7.1
Apple Security Update: About the security content of macOS Big Sur 11.7.1
Product: macOS Big Sur
Version: 11.7.1
CVE: CVE-2022-37434
Component: Sandbox
Impact: An app with root privileges may be able to access private information
Description: This issue was addressed with improved data protection.
Apple
CVE-2022-37434: macOS Ventura 13
vendor_apple·2022-10-24·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: macOS Ventura 13
Apple Security Update: About the security content of macOS Ventura 13
Product: macOS Ventura
Version: 13
CVE: CVE-2022-37434
Component: Wi-Fi
Impact: An app may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved state management.
Ubuntu
zlib vulnerability
vendor_ubuntu·2022-10-17
CVE-2022-37434 zlib vulnerability
Title: zlib vulnerability
Summary: zlib could be made to crash or run programs if it received specially
crafted input.
USN-5570-1 fixed a vulnerability in zlib. This update provides the
corresponding update for Ubuntu 22.04 LTS and Ubuntu 20.04 LTS.
Original advisory details:
Evgeny Legerov discovered that zlib incorrectly handled memory when
performing certain inflate operations. An attacker could use this issue
to cause zlib to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
BSD
FreeBSD-SA-22:13.zlib: zlib heap buffer overflow
bsd_advisories·2022-08-30·CVSS 9.8
CVE-2022-37434 [CRITICAL] FreeBSD-SA-22:13.zlib: zlib heap buffer overflow
FreeBSD-SA-22:13.zlib Security Advisory
The FreeBSD Project
Topic: zlib heap buffer overflow
Category: contrib
Module: zlib
Announced: 2022-08-30
Credits: Evgeny Legerov of @intevydis
Affects: All supported versions of FreeBSD.
Corrected: 2022-08-09 14:40:35 UTC (stable/13, 13.1-STABLE)
2022-08-30 23:02:48 UTC (releng/13.1, 13.1-RELEASE-p2)
2022-08-30 22:57:49 UTC (releng/13.0, 13.0-RELEASE-p13)
2022-08-09 14:45:04 UTC (stable/12, 12.3-STABLE)
2022-08-30 23:16:45 UTC (releng/12.3, 12.3-RELEASE-p7)
CVE Name: CVE-2022-37434
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
zlib is a software library implementing compression and decompression.
It is used in
Ubuntu
rsync vulnerability
vendor_ubuntu·2022-08-18
CVE-2022-37434 rsync vulnerability
Title: rsync vulnerability
Summary: rsync could be made to crash or run programs if it received specially
crafted input.
Evgeny Legerov discovered that zlib incorrectly handled memory when
performing certain inflate operations. An attacker could use this issue
to cause rsync to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
zlib vulnerability
vendor_ubuntu·2022-08-17
CVE-2022-37434 zlib vulnerability
Title: zlib vulnerability
Summary: zlib could be made to crash or run programs if it received specially
crafted input.
Evgeny Legerov discovered that zlib incorrectly handled memory when
performing certain inflate operations. An attacker could use this issue
to cause zlib to crash, resulting in a denial of service, or possibly
execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. S
vendor_msrc·2022-08-09·CVSS 9.8
CVE-2022-37434 [CRITICAL] CWE-787 zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. S
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g. see the nodejs/node reference).
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began pub
Red Hat
zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
vendor_redhat·2022-08-05·CVSS 9.8
CVE-2022-37434 [CRITICAL] CWE-119 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
A security vulnerability was found in zlib. The flaw triggered a heap-based buffer in inflate in the inflate.c function via a large gzip header extra field. This flaw is only applicable in the call inflateGetHeader.
Statement: While some Red Hat Products bundle the affected zlib source code, in many cases it is not possible for an attacker to
Debian
CVE-2022-37434: libz-mingw-w64 - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in infl...
vendor_debian·2022·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: libz-mingw-w64 - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in infl...
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
Scope: local
bookworm: resolved (fixed in 1.2.12+dfsg-2)
bullseye: open
forky: resolved (fixed in 1.2.12+dfsg-2)
sid: resolved (fixed in 1.2.12+dfsg-2)
trixie: resolved (fixed in 1.2.12+dfsg-2)
OSV
klibc vulnerabilities
osv·2024-05-23·CVSS 8.8
CVE-2016-9840 [HIGH] klibc vulnerabilities
klibc vulnerabilities
USN-6736-1 fixed vulnerabilities in klibc. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that zlib, vendored in klibc, incorrectly handled pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain inflate operations. An attacker could use
this issue to cause klibc to c
OSV
klibc vulnerabilities
osv·2024-04-16·CVSS 8.8
CVE-2016-9840 [HIGH] klibc vulnerabilities
klibc vulnerabilities
It was discovered that zlib, vendored in klibc, incorrectly handled pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain inflate operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2022-37434)
GHSA
GHSA-cfmr-vrgj-vqwv: zlib through 1
ghsa_unreviewed·2022-08-06
CVE-2022-37434 [CRITICAL] CWE-120 GHSA-cfmr-vrgj-vqwv: zlib through 1
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
OSV
CVE-2022-37434: zlib through 1
osv·2022-08-05·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434: zlib through 1
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-24799 dlib: heap-based buffer overflow in inflate() in zlib module (CVE-2022-37434) [fedora-42]
bugzilla·2026-01-28·CVSS 9.8
CVE-2026-24799 [CRITICAL] CVE-2026-24799 dlib: heap-based buffer overflow in inflate() in zlib module (CVE-2022-37434) [fedora-42]
CVE-2026-24799 dlib: heap-based buffer overflow in inflate() in zlib module (CVE-2022-37434) [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained v
Bugzilla
CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
bugzilla·2022-08-09·CVSS 9.8
CVE-2022-37434 [CRITICAL] CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063
http://www
Qualys
Oracle Critical Patch Update, July 2024 Security Update Review
blogs_qualys·2024-07-17
Oracle Critical Patch Update, July 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware foll
Qualys
Oracle Critical Patch Security Update: July 2024 Review | Qualys
blogs_qualys·2024-07-17
Oracle Critical Patch Security Update: July 2024 Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middlewa
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followed, with
Qualys
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
blogs_qualys·2023-07-19
Oracle Patch Tuesday, July 2023 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released its third quarterly edition of Critical Patch Update, which contains a group of patches for 508 security vulnerabilities. Some of the vulnerabilities addressed this month impact more than one product. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q3 2023 Oracle Critical Patch Update, the Oracle Financial Services Applications received the highest number of 147 patches, constituting 29% of the total patches released. Oracle Communications and Oracle Fusion Middleware followe
Qualys
Oracle Security Updates: Critical Patch April 2023 Advisory | Qualys
blogs_qualys·2023-04-19
Oracle Security Updates: Critical Patch April 2023 Advisory | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle has released the second quarterly edition of Critical Patch Update, which contains a group of patches for 433 security vulnerabilities. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q2 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 77, constituting 17% of the total patches released. The Oracle Financial Services Applications and Oracle Fusion Mi
Qualys
Oracle Patch Tuesday April 2023 Security Update Review
blogs_qualys·2023-04-19
Oracle Patch Tuesday April 2023 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle has released the second quarterly edition of Critical Patch Update, which contains a group of patches for 433 security vulnerabilities. Some of the vulnerabilities addressed this month impact various products. These patches address vulnerabilities in Oracle code and third-party components included in Oracle products.
During Q2 2023 Oracle Critical Patch Update, the Oracle Communications product suite recorded the highest number of patches at 77, constituting 17% of the total patches released. The Oracle Financial Services Applications and Oracle Fusion Middlewar
arXiv
SandCell: Sandboxing Rust Beyond Unsafe Code
arxiv_fulltext·2026-01-18
SandCell: Sandboxing Rust Beyond Unsafe Code
: Sandboxing Rust Beyond Unsafe Code
printacmref=false
[1]
plain
Jialun Zhang
Pennsylvania State University
University Park
USA
[email protected]
Merve Gülmez
Ericsson Security Research
Sweden
[email protected]
Thomas Nyman
Ericsson Product Security
Sweden
[email protected]
Gang Tan
Pennsylvania State University
University Park
USA
[email protected]
Anon. Submission Id: 2275
Author(s)
first review cycle of CCS'26
[First review cycle of CCS'26]November 15-19, 2026The Hague, The Netherlands
none
Zhang et al.
## Abstract
Rust is a modern systems programming language that ensures memory safety by
enforcing ownership and borrowing rules at compile time. While the unsafe
keyword allows programmers to bypass these restrictions, it introduces
significant risks. Vario
http://seclists.org/fulldisclosure/2022/Oct/37http://seclists.org/fulldisclosure/2022/Oct/38http://seclists.org/fulldisclosure/2022/Oct/41http://seclists.org/fulldisclosure/2022/Oct/42http://www.openwall.com/lists/oss-security/2022/08/05/2http://www.openwall.com/lists/oss-security/2022/08/09/1https://github.com/curl/curl/issues/9271https://github.com/ivd38/zlib_overflowhttps://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91dhttps://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764https://lists.debian.org/debian-lts-announce/2022/09/msg00012.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/https://security.netapp.com/advisory/ntap-20220901-0005/https://security.netapp.com/advisory/ntap-20230427-0007/https://support.apple.com/kb/HT213488https://support.apple.com/kb/HT213489https://support.apple.com/kb/HT213490https://support.apple.com/kb/HT213491https://support.apple.com/kb/HT213493https://support.apple.com/kb/HT213494https://www.debian.org/security/2022/dsa-5218http://seclists.org/fulldisclosure/2022/Oct/37http://seclists.org/fulldisclosure/2022/Oct/38http://seclists.org/fulldisclosure/2022/Oct/41http://seclists.org/fulldisclosure/2022/Oct/42http://www.openwall.com/lists/oss-security/2022/08/05/2http://www.openwall.com/lists/oss-security/2022/08/09/1https://github.com/curl/curl/issues/9271https://github.com/ivd38/zlib_overflowhttps://github.com/madler/zlib/blob/21767c654d31d2dccdde4330529775c6c5fd5389/zlib.h#L1062-L1063https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764https://lists.debian.org/debian-lts-announce/2022/09/msg00012.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JWN4VE3JQR4O2SOUS5TXNLANRPMHWV4I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAVPQNCG3XRLCLNSQRM3KAN5ZFMVXVTY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X5U7OTKZSHY2I3ZFJSR2SHFHW72RKGDK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/https://security.netapp.com/advisory/ntap-20220901-0005/https://security.netapp.com/advisory/ntap-20230427-0007/https://support.apple.com/kb/HT213488https://support.apple.com/kb/HT213489https://support.apple.com/kb/HT213490https://support.apple.com/kb/HT213491https://support.apple.com/kb/HT213493https://support.apple.com/kb/HT213494https://www.debian.org/security/2022/dsa-5218https://github.com/curl/curl/issues/9271
2022-08-05
Published