Debian Zlib vulnerabilities

13 known vulnerabilities affecting debian/zlib.

Total CVEs
13
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH4LOW5

Vulnerabilities

Page 1 of 1
CVE-2026-22184LOWCVSS 4.6fixed in zlib 1:1.2.6.dfsg-1 (bookworm)2026
CVE-2026-22184 [MEDIUM] CVE-2026-22184: zlib - zlib versions up to and including 1.3.1.2 include a global buffer overflow in th... zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command li
debian
CVE-2026-27171LOWCVSS 2.9fixed in zlib 1:1.3.dfsg+really1.3.2-1 (sid)2026
CVE-2026-27171 [LOW] CVE-2026-27171: zlib - zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_g... zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition. Scope: local bookworm: open bullseye: open forky: open sid: resolved (fixed in 1:1.3.dfsg+really1.3.2-1) trixie: open
debian
CVE-2023-45853CRITICALCVSS 9.8fixed in minizip 1.1-8+deb12u1 (bookworm)2023
CVE-2023-45853 [CRITICAL] CVE-2023-45853: minizip - MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buf... MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code throu
debian
CVE-2022-37434CRITICALCVSS 9.8fixed in libz-mingw-w64 1.2.12+dfsg-2 (bookworm)2022
CVE-2022-37434 [CRITICAL] CVE-2022-37434: libz-mingw-w64 - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in infl... zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). Scope: local b
debian
CVE-2018-25032HIGHCVSS 7.5fixed in libz-mingw-w64 1.2.11+dfsg-5 (bookworm)2018
CVE-2018-25032 [HIGH] CVE-2018-25032: libz-mingw-w64 - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressi... zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. Scope: local bookworm: resolved (fixed in 1.2.11+dfsg-5) bullseye: open forky: resolved (fixed in 1.2.11+dfsg-5) sid: resolved (fixed in 1.2.11+dfsg-5) trixie: resolved (fixed in 1.2.11+dfsg-5)
debian
CVE-2016-9843CRITICALCVSS 9.8fixed in rsync 3.1.3-6 (bookworm)2016
CVE-2016-9843 [CRITICAL] CVE-2016-9843: rsync - The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent at... The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation. Scope: local bookworm: resolved (fixed in 3.1.3-6) bullseye: resolved (fixed in 3.1.3-6) forky: resolved (fixed in 3.1.3-6) sid: resolved (fixed in 3.1.3-6) trixie: resolved (fixed in 3.1.3-6)
debian
CVE-2016-9841CRITICALCVSS 9.8fixed in rsync 3.1.3-6 (bookworm)2016
CVE-2016-9841 [CRITICAL] CVE-2016-9841: rsync - inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecif... inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. Scope: local bookworm: resolved (fixed in 3.1.3-6) bullseye: resolved (fixed in 3.1.3-6) forky: resolved (fixed in 3.1.3-6) sid: resolved (fixed in 3.1.3-6) trixie: resolved (fixed in 3.1.3-6)
debian
CVE-2016-9842HIGHCVSS 8.8fixed in rsync 3.1.3-6 (bookworm)2016
CVE-2016-9842 [HIGH] CVE-2016-9842: rsync - The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependen... The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers. Scope: local bookworm: resolved (fixed in 3.1.3-6) bullseye: resolved (fixed in 3.1.3-6) forky: resolved (fixed in 3.1.3-6) sid: resolved (fixed in 3.1.3-6) trixie: resolved (fixed in 3.1.3-6)
debian
CVE-2016-9840HIGHCVSS 8.8fixed in rsync 3.1.3-6 (bookworm)2016
CVE-2016-9840 [HIGH] CVE-2016-9840: rsync - inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspeci... inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic. Scope: local bookworm: resolved (fixed in 3.1.3-6) bullseye: resolved (fixed in 3.1.3-6) forky: resolved (fixed in 3.1.3-6) sid: resolved (fixed in 3.1.3-6) trixie: resolved (fixed in 3.1.3-6)
debian
CVE-2005-2096LOWCVSS 7.5fixed in aide 0.10-6.1.1 (bookworm)2005
CVE-2005-2096 [HIGH] CVE-2005-2096: aide - zlib 1.2 and later versions allows remote attackers to cause a denial of service... zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. Scope: local bookworm: resolved (fixed in 0.10-6.1.1) bullseye: resolved (fixed in 0.10-6.1.1) forky: resolved (
debian
CVE-2005-1849LOWCVSS 5.0fixed in sash 3.7-5sarge1 (bookworm)2005
CVE-2005-1849 [MEDIUM] CVE-2005-1849: sash - inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (a... inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced. Scope: local bookworm: resolved (fixed in 3.7-5sarge1) bullseye: resolved (fixed in 3.7-5sarge1) forky: resolved (fixed in 3.7-5sarge1) sid: resolved (fixed in 3.7-5sarge1) trixie: resolved (fixed in 3.7-
debian
CVE-2004-0797LOWCVSS 2.1fixed in zlib 1:1.2.1.1-6 (bookworm)2004
CVE-2004-0797 [LOW] CVE-2004-0797: zlib - The error handling in the (1) inflate and (2) inflateBack functions in ZLib comp... The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash). Scope: local bookworm: resolved (fixed in 1:1.2.1.1-6) bullseye: resolved (fixed in 1:1.2.1.1-6) forky: resolved (fixed in 1:1.2.1.1-6) sid: resolved (fixed in 1:1.2.1.1-6) trixie: resolved (fixed in 1:1
debian
CVE-2003-0107HIGHCVSS 7.5PoCfixed in zlib 1:1.1.4-10 (bookworm)2003
CVE-2003-0107 [HIGH] CVE-2003-0107: zlib - Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled wi... Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code. Scope: local bookworm: resolved (fixed in 1:1.1.4-10) bullseye: resolved (fixed in 1:1.1.4-10) forky: resolved (fixed in 1:1.1.4-10) sid: resolv
debian