CVE-2022-37434 — Out-of-bounds Write in Zlib

CWE-787 — Out-of-bounds Write CWE-120 — Classic Buffer Overflow CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer25 documents11 sources

Severity

9.8CRITICALNVD

EPSS

92.5%

top 0.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zlib Apple Ipados Apple Iphone OS +5 more

Timeline

PublishedAug 5

Latest updateJul 15

Description

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

▶Debianzlib/zlib< 1:1.2.11.dfsg-2+deb11u2+3

▶NVDzlib/zlib1.2.12

▶NVDapple/macos11.0 — 11.7.1+1

▶NVDapple/ipados< 15.7.1

▶NVDapple/watchos< 9.1

Also affects: Debian Linux 10.0, Fedora 35, 36, 37

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

klibc vulnerabilities↗2024-04-16

▶

GHSA

GHSA-cfmr-vrgj-vqwv: zlib through 1↗2022-08-06

▶

CVEList

CVE-2022-37434: zlib through 1↗2022-08-05

▶

OSV

CVE-2022-37434: zlib through 1↗2022-08-05

▶

📋Vendor Advisories

Oracle

Oracle Oracle Siebel CRM Risk Matrix: Repository Utilities (zlib) — CVE-2022-37434↗2024-07-15

▶

Ubuntu

klibc vulnerabilities↗2024-05-23

▶

Ubuntu

klibc vulnerabilities↗2024-04-16

▶

Oracle

Oracle Oracle Hyperion Risk Matrix: Security (zlib) — CVE-2022-37434↗2024-01-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Virtual Network Function Manager (zlib) — CVE-2022-37434↗2023-07-15

▶