CVE-2026-27171 — Improper Validation of Specified Quantity in Input in Zlib
Severity
9.8CRITICALNVD
NVD5.5CNA2.9OSV5.5
EPSS
0.0%
top 99.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedFeb 18
Latest updateMar 29
Description
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6
Affected Packages12 packages
🔴Vulnerability Details
11CVEList▶
Perl versions from 5.9.4 before 5.40.4-RC1, from 5.41.0 before 5.42.2-RC1, from 5.43.0 before 5.43.9 contain a vulnerable version of Compress::Raw::Zlib↗2026-03-29
📋Vendor Advisories
7Red Hat▶
Perl: Compress::Raw::Zlib: zlib: Perl: Multiple vulnerabilities due to an outdated vendored zlib library↗2026-03-29
Red Hat
▶
Microsoft▶
zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.↗2026-02-10
Debian▶
CVE-2026-27171: zlib - zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_g...↗2026