CVE-2026-27820
published 2026-04-16CVE-2026-27820: zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.56%
42.4th percentile
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | zlib | < 3.0.1 | 3.0.1 |
| ruby-lang | zlib | >= 3.1.0 < 3.1.2 | 3.1.2 |
| ruby-lang | zlib | >= 3.2.0 < 3.2.3 | 3.2.3 |
| ruby | zlib | < 3.0.1 | 3.0.1 |
| ruby | zlib | — | — |
| ruby | zlib | — | — |
| zlib | zlib | >= 0 < 3.0.1 | 3.0.1 |
| zlib | zlib | >= 3.1.0 < 3.1.2 | 3.1.2 |
| zlib | zlib | >= 3.2.0 < 3.2.3 | 3.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable function: zstream_buffer_ungets in Zlib::GzipReader performs memmove of existing data without first ensuring the backing Ruby string has sufficient capacity, leading to buffer overflow and memory corruption. ↗
- →Patch commit for CVE-2026-27820 is available at the upstream ruby/zlib repository; diff this commit to identify the exact capacity-check guard added to zstream_buffer_ungets for use in source-code scanning or SAST rules. ↗
- ·Red Hat rates exploitability as high complexity and notes the attacker may not have full control over corrupted/exfiltrated data, reducing practical impact; however, memory corruption can still cause system instability. ↗
- ·Red Hat Enterprise Linux 10 (ruby4.0 package) has a fix deferred; no mitigation meeting Red Hat's criteria is currently available for affected RHEL deployments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.01.7LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat1.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
zlib: zlib: Memory corruption via buffer overflow in Zlib::GzipReader
vendor_redhat·2026-04-16·CVSS 1.7
CVE-2026-27820 [LOW] CWE-131 zlib: zlib: Memory corruption via buffer overflow in Zlib::GzipReader
zlib: zlib: Memory corruption via buffer overflow in Zlib::GzipReader
A flaw was found in zlib, a Ruby interface for the zlib compression/decompression library. The Zlib::GzipReader component contains a buffer overflow vulnerability. This occurs because the zstream_buffer_ungets function does not ensure sufficient memory capacity before moving existing data, which can lead to memory corruption. An attacker could potentially exploit this to cause unexpected behavior or system instability.
Statement: A buffer overflow vulnerability exists in the Zlib::GzipReader component of the Ruby zlib interface. This flaw, caused by insufficient memory capacity during data manipulation, could lead to memory corruption and system instability. This vulnerability is considered of a Moderate severity this
VulDB
ruby zlib up to 3.0.0/3.1.1/3.2.2 zlib::GzipReader buffer overflow (GHSA-g857-hhfv-j68w)
vuldb·2026-04-16·CVSS 1.7
CVE-2026-27820 [LOW] ruby zlib up to 3.0.0/3.1.1/3.2.2 zlib::GzipReader buffer overflow (GHSA-g857-hhfv-j68w)
A vulnerability categorized as critical has been discovered in ruby zlib up to 3.0.0/3.1.1/3.2.2. The affected element is the function zlib::GzipReader. Executing a manipulation can lead to buffer overflow.
This vulnerability is handled as CVE-2026-27820. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
ghsa·2026-04-16
CVE-2026-27820 [MEDIUM] CWE-120 Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption
### Details
A buffer overflow vulnerability exists in `Zlib::GzipReader`.
The `zstream_buffer_ungets` function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity.
### Recommended action
We recommend to update the `zlib` gem to version 3.2.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
* For Ruby 3.2 users: Update to zlib 3.0.1
* For Ruby 3.3 users: Update to zlib 3.1.2
You can use gem update zlib to update it. If you are usi
No detection rules found.
No public exploits indexed.
2026-04-16
Published