📦

zlib

Vendor: zlib

Login to add this product to WatchStack
Actively Exploited 0 CISA KEV List
PoC / Exploits 3 Code Available
Total RCEs 2 Remote Access
Total CVEs 85 Total Indexed
Avg. EPSS 17.81% Exploit Prob.
Latest CVE CVE-2026-27171 Feb 18

Security Vulnerability Index

Page 1 / 9
2.9 CVSS
CVE-2026-27171

zlib before 1.3.2 allows CPU consumption via crc32_combine64 and crc32_combine_gen64 because x2nmodp can do right shifts within a loop that has no termination condition.

EPSS: 0.01%
4.6 CVSS
CVE-2026-22184

zlib versions up to and including 1.3.1.2 include a global buffer overflow in the untgz utility located under contrib/untgz. The vulnerability is limited to the standalone demonstration utility and does not affect the core zlib compression library. The flaw occurs when a user executes the untgz command with an excessively long archive name supplied via the command line, leading to an out-of-bounds write in a fixed-size global buffer.

EPSS: 0.01%
7.3 CVSS
CVE-2025-0725

When libcurl is asked to perform automatic gzip decompression of content-encoded HTTP responses with the `CURLOPT_ACCEPT_ENCODING` option, **using zlib 1.2.0.3 or older**, an attacker-controlled integer overflow would make libcurl perform a buffer overflow.

EPSS: 0.60%
9.8 CVSS
CVE-2023-45853

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API.

EPSS: 1.40%
9.8 CVSS
CVE-2022-37434
Exploit Found

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).

EPSS: 92.54%
7.5 CVSS
CVE-2018-25032
RCE Exploit Found

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

EPSS: 0.09%
9.8 CVSS
CVE-2016-9843

The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.

EPSS: 13.50%
8.8 CVSS
CVE-2016-9842

The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.

EPSS: 12.60%
9.8 CVSS
CVE-2016-9841

inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

EPSS: 19.18%
8.8 CVSS
CVE-2016-9840

inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.

EPSS: 9.83%