cbcvebase.
CVE-2026-27820
published 2026-04-16

CVE-2026-27820: zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.56%
42.4th percentile
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity. This issue has been fixed in versions 3.0.1, 3.1.2 and 3.2.3.

Affected

9 ranges
VendorProductVersion rangeFixed in
ruby-langzlib< 3.0.13.0.1
ruby-langzlib>= 3.1.0 < 3.1.23.1.2
ruby-langzlib>= 3.2.0 < 3.2.33.2.3
rubyzlib< 3.0.13.0.1
rubyzlib
rubyzlib
zlibzlib>= 0 < 3.0.13.0.1
zlibzlib>= 3.1.0 < 3.1.23.1.2
zlibzlib>= 3.2.0 < 3.2.33.2.3

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable function: zstream_buffer_ungets in Zlib::GzipReader performs memmove of existing data without first ensuring the backing Ruby string has sufficient capacity, leading to buffer overflow and memory corruption.
  • Patch commit for CVE-2026-27820 is available at the upstream ruby/zlib repository; diff this commit to identify the exact capacity-check guard added to zstream_buffer_ungets for use in source-code scanning or SAST rules.
  • ·Red Hat rates exploitability as high complexity and notes the attacker may not have full control over corrupted/exfiltrated data, reducing practical impact; however, memory corruption can still cause system instability.
  • ·Red Hat Enterprise Linux 10 (ruby4.0 package) has a fix deferred; no mitigation meeting Red Hat's criteria is currently available for affected RHEL deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.01.7LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat1.7LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.