vulnerability

Debian: CVE-2026-22184: zlib -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:L/Au:N/C:P/I:P/A:C)	Jan 9, 2026	Jan 9, 2026	Jan 9, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:C)

Published

Jan 9, 2026

Added

Jan 9, 2026

Modified

Jan 9, 2026

Description

zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.

Solution

debian-upgrade-zlib

References

CVE-2026-22184
https://attackerkb.com/topics/CVE-2026-22184
CWE-120

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today